Active remote code execution (RCE) attacks could target more than 6,000 SmarterMail servers that are open to the public This article explores vulnerability overview smartermail. . Daily HTTP vulnerability scans were used by security researchers to find the vulnerabilities, and attempts at exploitation have already been seen in the wild.

Organizations all over the world that depend on SmarterMail for business email operations are seriously threatened by this. Vulnerability Overview: The SmarterMail password reset API has a critical authentication bypass vulnerability (CVE-2026-23760) that affects all versions before Build 9511, which was released on January 15, 2026. With a CVSS score of 9.3, the vulnerability poses a serious risk to the impacted systems.

Learn more Phishing protection service Take advantage of Feeds of threat intelligence Taking advantage of security author features News stories about cybersecurity Exploits for Microsoft Defender VPN services Solutions for network security The vulnerability is in the /api/v1/auth/force-reset-password endpoint, which allows unauthenticated requests to target administrator accounts without requiring reset tokens or password verification. By taking advantage of this flaw, an attacker can instantly take control of an administrator account by providing a new password for any administrator username. Critically, SmarterMail administrators have built-in functionality that enables direct execution of operating system commands through the Settings interface, effectively elevating the compromise to SYSTEM-level access on the underlying host.

Multiple security organizations have confirmed active exploitation since at least January 17, 2026, just two days after the patch release.

Threat actors were seen by Huntress Labs creating malicious System Events that were set up to carry out reconnaissance commands on susceptible hosts using the compromised administrator accounts. With attackers methodically resetting accounts, acquiring authentication tokens, and setting up persistent backdoors, the attack chain shows a deep comprehension of SmarterMail architecture. Anonymous reports that confirmed threat actors were taking advantage of the vulnerability in production environments were sent to Watchtowr Labs.

especially worrisome because attackers actively keep an eye on release notes and use patch diffing to exploit vulnerabilities. Although the precise regional breakdown has not been made public, Shadowserver's geographically dispersed scanning finds vulnerable instances across several continents.

Learn more Modules for hardware security Training in security awareness Tools for remote access Cybersecurity exploitation Managers of passwords Cybersecurity Consulting for computer security Tools for cloud security VPN services The substantial attack surface is highlighted by the discovery of 6,000 vulnerable IPs, especially since many organizations are still ignorant of the patches that are available. Updating to the most recent build right away is highly advised by SmarterTools. Patching should be an organization's top priority because attackers actively target unpatched instances without showing any signs of slowing down exploitation attempts.

Security teams should review administrator account activity logs for unauthorized password resets. Investigate potential web shells or malware installed via exploitation, and confirm system backups remain uncompromised., LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.