The U.S. Cybersecurity and Infrastructure Safety Company (CISA) is warning that ransomware actors are exploiting CVE-2026-24423, a important vulnerability in SmarterMail that enables distant code execution with out authentication.
SmarterMail is a self-hosted, Home windows-based electronic mail server and collaboration platform from SmarterTools. The product offers SMTP/IMAP/POP mail providers together with webmail, calendars, contacts, and fundamental groupware performance.
It’s generally deployed by managed service suppliers (MSPs), small and medium-sized companies, and internet hosting corporations providing electronic mail providers. In keeping with SmarterTools, its merchandise are utilized by roughly 15 million customers throughout 120 nations.
The CVE-2026-24423 flaw impacts SmarterTools SmarterMail variations prior to construct 9511, and profitable exploitation can result in distant code execution (RCE) through the ConnectToHub API.
The vulnerability was found and disclosed responsibly to SmarterTools by safety researchers at watchTowr, CODE WHITE, and VulnCheck cybersecurity corporations.
The seller mounted the flaw on January 15 in SmarterMail Construct 9511.
CISA has now added the vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog and marked it as actively exploited in ransomware campaigns.
“SmarterTools SmarterMail incorporates a lacking authentication for a important operate vulnerability within the ConnectToHub API methodology,” the authorities company warns.
“This might enable the attacker to level the SmarterMail occasion to a malicious HTTP server that serves the malicious OS command and will result in command execution.”
CISA has given federal businesses and entities with obligations beneath BOD 22-01 steerage to both apply the safety updates and vendor-suggested mitigations or cease utilizing the product by February 26, 2026.
Across the identical time that SmarterTools patched CVE-2026-24423, watchTowr researchers found one other authentication bypass flaw, internally tracked as WT-2026-0001.
The flaw, which has no identification quantity, permits resetting the administrator password with none verification and has been exploited by hackers shortly after the seller launched a patch.
The researchers base this on nameless ideas, particular calls within the logs of compromised programs, and endpoints that precisely match the weak code path.
Since then, SmarterMail has mounted further safety flaws rated “important,” so it is strongly recommended that system directors replace to the most up-to-date construct, at present 9526, launched on January 30.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, find out how your group can cut back hidden guide delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
