SmarterMail WT-2026-0001 Authentication Bypass Enables Admin Takeover and RCE
SmarterTools SmarterMail patched a critical authentication bypass tracked as WT-2026-0001 after researchers reported that attackers can reset the system administrator password without authentication by abusing the /api/v1/auth/force-reset-password endpoint. The flaw stems from logic in SmarterMail.Web.Api.AuthenticationController.ForceResetPassword that permits anonymous access and trusts a user-supplied boolean (IsSysAdmin); when set to true, the code path updates an admin account’s password without validating the old password or enforcing authorization checks.
Both reporting indicate the issue is actively exploited in the wild, with observed exploitation occurring within days of the vendor patch (including reports of activity as soon as two days after release). Once an attacker resets the admin password, they can take over the mail server and leverage built-in administrative capabilities to execute OS commands, effectively achieving remote code execution (RCE) and full compromise of affected SmarterMail deployments; the patch was released as Build 9511 following responsible disclosure by watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah.
Timeline
Jan 22, 2026
CVE-2026-23760 is assigned to the SmarterMail vulnerability
The SmarterMail authentication bypass was assigned CVE-2026-23760, covering versions prior to Build 9511. The CVE record was received on 2026-01-22 and documented the issue as an authentication bypass in the password reset API leading to full administrative compromise.
Jan 22, 2026
watchTowr publicly discloses WT-2026-0001 and exploitation details
On 2026-01-22, watchTowr Labs publicly disclosed the SmarterMail flaw, describing how unauthenticated attackers could set IsSysAdmin=true, reset an admin password, and then abuse features such as Volume Mounts to achieve SYSTEM-level remote code execution. The disclosure also included evidence of active exploitation and a proof-of-concept path to shell access.
Jan 17, 2026
Forum report indicates admin password was changed via the vulnerable endpoint
A SmarterMail forum post dated 2026-01-17 suggested the vulnerable endpoint had been used to change an administrator password in the wild. This became an early public indicator of active exploitation.
Jan 17, 2026
Attackers begin exploiting the flaw after patch release
Evidence from logs and later reporting indicates attackers started exploiting unpatched SmarterMail systems within about 48 hours of the patch, likely by reverse engineering Build 9511. The activity involved resetting administrator passwords through the force-reset-password endpoint.
Jan 15, 2026
SmarterTools releases SmarterMail Build 9511 patch
SmarterTools released SmarterMail Build 9511 to fix the password-reset API issue by adding old-password validation for administrator resets. Release notes reportedly described the update only as containing critical security fixes.
Jan 8, 2026
watchTowr reports SmarterMail auth bypass to SmarterTools
watchTowr Labs reported a critical SmarterMail authentication-bypass flaw, later tracked as WT-2026-0001, to the vendor. BleepingComputer says the report was made on 2026-01-08.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like the hacker news
Related Stories
Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified **6,000+ SmarterTools SmarterMail** servers exposed online and likely vulnerable to **CVE-2026-23760**, a **critical authentication bypass** in the password reset API that enables **unauthenticated admin account takeover** and can lead to **remote code execution**. The flaw affects SmarterMail versions prior to **build 9511** and abuses the `/api/v1/auth/force-reset-password` (aka `force-reset-password`) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on **January 15, 2026** (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia. Multiple sources reported **active exploitation** shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious **System Events** to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (**CVE-2025-52691**), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
1 months ago
Authentication Bypass and Password-Reset Flaws Enable Account Takeover in SmarterMail and Appsmith
**watchTowr Labs** disclosed **WT-2026-0001**, an **authentication bypass** in *SmarterTools SmarterMail* that allows a user to reset the **system administrator password** via a password-reset mechanism and then leverage SmarterMail’s built-in “RCE-as-a-feature” capabilities to execute OS commands. The researcher reported the issue and stated it was patched quickly, citing a fixed release on **SmarterMail release 9511 (2026-01-15)**; the publication was accelerated after a tip that attackers were actively exploiting the flaw to reset admin passwords, with forum-shared logs reportedly showing suspicious activity tied to the `force-reset-password` endpoint. **Resecurity** reported exploitation of **CVE-2026-22794** in *Appsmith*, a critical authentication weakness in the password reset flow where the application trusts a **client-controlled `Origin` header** to build reset links. An attacker can initiate a reset for a victim while supplying a malicious Origin so the victim’s email contains a link to attacker infrastructure; when clicked, the reset token is exposed, enabling password change and **full account takeover**. Resecurity identified the affected endpoint as `/api/v1/users/forgotPassword`, stated **Appsmith ≤ 1.92** is affected, and that the issue is fixed in **Appsmith ≥ 1.93**.
1 months ago
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
1 months ago