Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified 6,000+ SmarterTools SmarterMail servers exposed online and likely vulnerable to CVE-2026-23760, a critical authentication bypass in the password reset API that enables unauthenticated admin account takeover and can lead to remote code execution. The flaw affects SmarterMail versions prior to build 9511 and abuses the /api/v1/auth/force-reset-password (aka force-reset-password) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on January 15, 2026 (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia.
Multiple sources reported active exploitation shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious System Events to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (CVE-2025-52691), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
Timeline
Jan 27, 2026
CISA adds CVE-2026-23760 to the KEV catalog
CISA added CVE-2026-23760 to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The agency ordered U.S. federal civilian executive branch agencies to remediate the flaw by February 16, 2026.
Jan 27, 2026
Shadowserver reports 6,000+ exposed vulnerable SmarterMail servers
Shadowserver said it was tracking more than 6,000 internet-exposed SmarterMail servers likely still vulnerable to CVE-2026-23760. Separate scanning cited in reporting found as many as 8,550 potentially vulnerable instances, with many located in the United States.
Jan 27, 2026
watchTowr releases proof-of-concept exploit details
watchTowr publicly disclosed technical details and a proof-of-concept exploit for the SmarterMail issue, showing that only the administrator username was needed to reset the account password. The disclosure helped clarify the impact and exploitability of the flaw.
Jan 21, 2026
Exploitation of CVE-2026-23760 begins in the wild
Security researchers at watchTowr and Huntress reported that attackers started exploiting the SmarterMail flaw in the wild around this date. Observed activity included reconnaissance, persistence, and signs of mass automated hijacking attempts.
Jan 15, 2026
SmarterTools fixes the SmarterMail password reset flaw
SmarterTools released a fix for the SmarterMail vulnerability in build 9511, initially without assigning a CVE identifier. The issue affected versions prior to build 9511 and could lead to administrator account takeover and remote code execution.
Jan 8, 2026
watchTowr reports SmarterMail auth bypass to SmarterTools
watchTowr reported a critical SmarterMail authentication bypass vulnerability to SmarterTools. The flaw, later tracked as CVE-2026-23760, allowed unauthenticated password resets of administrator accounts via the password reset API.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
SmarterMail WT-2026-0001 Authentication Bypass Enables Admin Takeover and RCE
SmarterTools *SmarterMail* patched a critical authentication bypass tracked as **WT-2026-0001** after researchers reported that attackers can reset the **system administrator** password without authentication by abusing the `/api/v1/auth/force-reset-password` endpoint. The flaw stems from logic in `SmarterMail.Web.Api.AuthenticationController.ForceResetPassword` that permits anonymous access and trusts a user-supplied boolean (`IsSysAdmin`); when set to `true`, the code path updates an admin account’s password without validating the old password or enforcing authorization checks. Both reporting indicate the issue is **actively exploited in the wild**, with observed exploitation occurring **within days of the vendor patch** (including reports of activity as soon as two days after release). Once an attacker resets the admin password, they can take over the mail server and leverage built-in administrative capabilities to execute OS commands, effectively achieving **remote code execution (RCE)** and full compromise of affected SmarterMail deployments; the patch was released as **Build 9511** following responsible disclosure by watchTowr Labs researchers **Piotr Bazydlo** and **Sina Kheirkhah**.
1 months ago
Authentication Bypass and Password-Reset Flaws Enable Account Takeover in SmarterMail and Appsmith
**watchTowr Labs** disclosed **WT-2026-0001**, an **authentication bypass** in *SmarterTools SmarterMail* that allows a user to reset the **system administrator password** via a password-reset mechanism and then leverage SmarterMail’s built-in “RCE-as-a-feature” capabilities to execute OS commands. The researcher reported the issue and stated it was patched quickly, citing a fixed release on **SmarterMail release 9511 (2026-01-15)**; the publication was accelerated after a tip that attackers were actively exploiting the flaw to reset admin passwords, with forum-shared logs reportedly showing suspicious activity tied to the `force-reset-password` endpoint. **Resecurity** reported exploitation of **CVE-2026-22794** in *Appsmith*, a critical authentication weakness in the password reset flow where the application trusts a **client-controlled `Origin` header** to build reset links. An attacker can initiate a reset for a victim while supplying a malicious Origin so the victim’s email contains a link to attacker infrastructure; when clicked, the reset token is exposed, enabling password change and **full account takeover**. Resecurity identified the affected endpoint as `/api/v1/users/forgotPassword`, stated **Appsmith ≤ 1.92** is affected, and that the issue is fixed in **Appsmith ≥ 1.93**.
1 months ago
SmarterMail Unauthenticated File Upload RCE (CVE-2025-52691) Exposes Thousands of Internet-Facing Servers
A critical SmarterTools *SmarterMail* vulnerability, **CVE-2025-52691**, enables **remote code execution (RCE)** via an **unauthenticated arbitrary file upload** condition (CWE-434). The issue affects SmarterMail **Build 9406 and earlier** and is fixed in **Build 9413 and later**; the NVD lists a **CVSS v3.1 score of 10.0** (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`). Successful exploitation can allow full server compromise, including webshell deployment, data theft, and lateral movement under the service’s privileges. Internet-wide scanning reported **8,001 likely vulnerable IPs** out of **18,783** exposed SmarterMail instances (about **42.6%** failing checks), with the largest concentration in the **United States (~5,000)** followed by the **UK** and **Malaysia**. **Public proof-of-concept exploit code** is available, increasing the likelihood of opportunistic exploitation against unpatched, internet-facing deployments; multiple national agencies reportedly issued advisories following disclosure in late December 2025.
1 months ago