A brand new safety flaw in SmarterTools SmarterMail electronic mail software program has come beneath lively exploitation within the wild, two days after the discharge of a patch.
The vulnerability, which at present doesn’t have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Construct 9511, following accountable disclosure by the publicity administration platform on January 8, 2026.
It has been described as an authentication bypass flaw that would enable any person to reset the SmarterMail system administrator password via a specifically crafted HTTP request to the “/api/v1/auth/force-reset-password” endpoint.
“The kicker in fact being that stated person is ready to use RCE-as-a-feature features to immediately execute OS [operating system] instructions,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah stated.
The issue is rooted within the operate “SmarterMail.Internet.Api.AuthenticationController.ForceResetPassword,” which not solely permits the endpoint to be reached with out authentication, but additionally leverages the truth that the reset request is accompanied by a boolean flag named “IsSysAdmin” to deal with the incoming request relying on whether or not the person is a system administrator or not.
In case the flag is ready to “true” (i.e., indicating that the person is an administrator), the underlying logic performs the next sequence of actions –
- Acquire the configuration comparable to the username handed as enter within the HTTP request
- Create a brand new system administrator merchandise with the brand new password
- Replace the administrator account with the brand new password
In different phrases, the privileged path is configured such that it will probably trivially replace an administrator person’s password by sending an HTTP request with the username of an administrator account and a password of their selection. This whole lack of safety management may very well be abused by an attacker to acquire elevated entry, offered they’ve data of an current administrator username.
It would not finish there, for the authentication bypass supplies a direct path to distant code execution via a built-in performance that enables a system administrator to execute working system instructions on the underlying working system and procure a SYSTEM-level shell.
This may be completed by navigating to the Settings web page, creating a brand new quantity, and supplying an arbitrary command within the Quantity Mount Command discipline that will get subsequently executed by the host’s working system.
The cybersecurity firm stated it selected to make the discovering public following a submit on the SmarterTools Group Portal, the place a person claimed that they misplaced entry to their admin account, with the logs indicating the usage of the identical “force-reset-password” endpoint to alter the password on January 17, 2026, two days after the discharge of the patch.
This seemingly signifies that the attackers managed to reverse engineer the patches and reconstruct the flaw. To make issues worse, it would not assist that SmarterMail’s launch notes are imprecise and don’t explicitly point out what points have been addressed. One merchandise within the bulleted record for Construct 9511 merely mentions “IMPORTANT: Crucial safety fixes.”
In response, SmarterTools CEO Tim Uzzanti hinted that that is carried out so to keep away from giving risk actors extra ammunition, however famous they plan to ship an electronic mail each time a brand new CVE is found and once more when a construct has been launched to resolve the difficulty.
“In our 23+ years, we now have had only some CVEs, which have been primarily communicated via launch notes and important repair references,” Uzzanti stated in response to transparency issues raised by its prospects. “We respect the suggestions that inspired this variation in coverage shifting ahead.”
It is at present not clear whether or not such an electronic mail was despatched to SmarterMail directors this time round. The Hacker Information has reached out to SmarterTools for remark, and we’ll replace the story if we hear again.
The event comes lower than a month after the Cyber Safety Company of Singapore (CSA) disclosed particulars of a maximum-severity safety flaw in SmarterMail (CVE-2025-52691, CVSS rating: 10.0) that may very well be exploited to attain distant code execution.
Replace
The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS rating: 9.3), with Huntress noting that it has noticed in-the-wild exploitation of the privileged account takeover vulnerability that would end in distant code execution.
The cybersecurity firm additionally stated CVE-2025-52691 has come beneath mass exploitation, making it important that customers of SmarterMail replace to the most recent model as quickly as doable.
Jai Minton, senior supervisor of detection engineering and risk searching at Huntress, instructed The Hacker Information that CVE-2025-52691 is being exploited to ship low sophistication internet shells and “suspected loaders of malware written to Startup directories to be able to obtain persistence and execution when the system is restarted.”
Minton additionally acknowledged that each one the IP addresses making an attempt to use CVE-2026-23760 are tied to digital infrastructure within the U.S., and that the precise origin of the assaults is unknown. As for attribution, there isn’t a proof to recommend both vulnerabilities being exploited are tied to any explicit risk actor.
“Given the severity of this vulnerability, lively exploitation, and exploitation of the extra CVE-2025-52691 being noticed within the wild, companies ought to prioritize the deployment of SmarterMail updates and evaluate any outdated methods for indicators of an infection,” it added.
(The story was up to date after publication to incorporate particulars of the CVE and insights from Huntress.)
