With a CVSS 9.3 score, SmarterMail addresses a serious unauthenticated RCE vulnerability.

Two additional security flaws in the SmarterMail email program have been fixed by SmarterTools, one of which is critical and could lead to arbitrary code execution This article explores security flaws smartermail. . The vulnerability has a CVSS score of 9.3 out of 10.0 and is tracked as CVE-2026-24423.

"SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method," according to a description of the flaw in CVE.org. "The malicious OS [operating system] command is served by the malicious HTTP server, which the attacker could direct SmarterMail to. The vulnerable application will carry out this command.The vulnerability was found and reported by watchTowr researchers Sina Kheirkhah and Piotr Bazydlo, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck.

Build 9511, which was released on January 15, 2026, fixes the security flaw. Another critical flaw (CVE-2026-23760, CVSS score: 9.3) that has since been actively exploited in the wild is also patched by the same build. A medium-severity security flaw (CVE-2026-25067, CVSS score: 6.9) that could enable an attacker to enable NTLM relay attacks and unauthorized network authentication has also been fixed by SmarterTools.

The background-of-the-day preview endpoint has been described as being impacted by unauthenticated path coercion. "The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation," VulnCheck noted in an alert.

This enables the resolution of UNC [Universal Naming Convention] paths on Windows systems, which prompts the SmarterMail service to start outbound SMB authentication attempts to hosts under attacker control. Unauthorized network authentication, NTLM relay attacks, and credential coercion are possible abuses of this. Build 9518, which was released on January 22, 2026, contains a patch for the vulnerability.

Users must update to the most recent version of SmarterMail as soon as possible because two vulnerabilities have been actively exploited during the past week.

With a CVSS 9.3 score, SmarterMail addresses a serious unauthenticated RCE vulnerability.

With a CVSS 9.3 score, SmarterMail addresses a serious unauthenticated RCE vulnerability.

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026