SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution.
The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0.
“SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method,” according to a description of the flaw in CVE.org.
“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command. This command will be executed by the vulnerable application.”
watchTowr researchers Sina Kheirkhah and Piotr Bazydlo, CODE WHITE GmbH’s Markus Wulftange, and VulnCheck’s Cale Black have been credited with discovering and reporting the vulnerability.
The security hole has been addressed in version Build 9511, released on January 15, 2026. The same build also patches another critical flaw (CVE-2026-23760, CVSS score: 9.3) that has since come under active exploitation in the wild.
In addition, SmarterTools has shipped fixes to plug a medium-severity security vulnerability (CVE-2026-25067, CVSS score: 6.9) that could allow an attacker to facilitate NTLM relay attacks and unauthorized network authentication.
It has been described as a case of unauthenticated path coercion affecting the background-of-the-day preview endpoint.
“The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation,” VulnCheck noted in an alert.
“On Windows systems, this allows UNC [Universal Naming Convention] paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.”
The vulnerability has been patched in Build 9518, released on January 22, 2026. With two vulnerabilities in SmarterMail coming under active exploitation over the past week, it’s essential that users update to the latest version as soon as possible.
Flaw Exploited in Ransomware Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on February 5, 2026, added CVE-2026-24423 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 26, 2026.
While there appear to have been no public reports on the exploitation of the vulnerable, CISA confirmed that it’s being weaponized in ransomware campaigns.
“The SmarterTools SmarterMail server prior to version 100.0.9511 is vulnerable to an unauthenticated remote code execution using the ConnectToHub API,” VulnCheck said. “The vulnerable API endpoint (/api/v1/settings/sysadmin/connect-to-hub) does not require authentication and configures the mounted path of the server.”
The root cause, the cybersecurity company added, is that the “connect-to-hub” API endpoint defined in “MailService.dll” explicitly allows anonymous users and processes JSON data sent in POST requests, effectively allowing an attacker to define a malicious “CommandMount” parameter in the JSON object that contains an arbitrary command to be executed.
This, in turn, is possible because the endpoint processes remote addresses specified in the “hubAddress” parameter within the POST request, which points to an attacker-controlled server.
“Defenders should immediately monitor and check logs for interactions with the ‘/api/v1/settings/sysadmin/connect-to-hub’ endpoint, which in patched versions will not respond with a HTTP 400 status code and error message in the current build (9511),” Black said.
“A version number can also be retrieved unauthenticated via the ‘/api/v1/licensing/about endpoint’ that can be used for quick validation.”
(The story was updated after publication on February 6, 2026, to include details of CISA’s alert.)
