A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.
The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026.
It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the “/api/v1/auth/force-reset-password” endpoint.
“The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said.
The problem is rooted in the function “SmarterMail.Web.Api.AuthenticationController.ForceResetPassword,” which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named “IsSysAdmin” to handle the incoming request depending on whether the user is a system administrator or not.
In case the flag is set to “true” (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions –
- Obtain the configuration corresponding to the username passed as input in the HTTP request
- Create a new system administrator item with the new password
- Update the administrator account with the new password
In other words, the privileged path is configured such that it can trivially update an administrator user’s password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.
It doesn’t end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell.
This can be accomplished by navigating to the Settings page, creating a new volume, and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host’s operating system.
The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same “force-reset-password” endpoint to change the password on January 17, 2026, two days after the release of the patch.
This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw. To make matters worse, it doesn’t help that SmarterMail’s release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions “IMPORTANT: Critical security fixes.”
In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue.
“In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references,” Uzzanti said in response to transparency concerns raised by its customers. “We appreciate the feedback that encouraged this change in policy moving forward.”
When reached for comment, SmarterTools told The Hacker News that it released a fix for the vulnerability on January 15, 2026, adding it sent out notifications to all customers, asking them to update to the latest version.
“At the time of that release, we did notify all SmarterMail customers that a new version was released that fixed a critical security issue, and we strongly urged them to upgrade,” Derek Curtis, chief operating officer at SmarterTools, said. “As we don’t manage installations ourselves – our SmarterMail software is on-premises – we have to rely on customers to read our notifications, then upgrade as soon as they feel it’s prudent to do so.”
The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
Update
The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.
The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.
Jai Minton, senior manager of detection engineering and threat hunting at Huntress, told The Hacker News that CVE-2025-52691 is being exploited to deliver low sophistication web shells and “suspected loaders of malware written to Startup directories in order to achieve persistence and execution when the system is restarted.”
Minton also stated that all the IP addresses attempting to exploit CVE-2026-23760 are tied to virtual infrastructure in the U.S., and that the exact origin of the attacks is unknown. As for attribution, there is no evidence to suggest either vulnerabilities being exploited are tied to any particular threat actor.
“Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection,” it added.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
(The story was updated after publication on January 27, 2026, to reflect the latest developments.)
