Menace actors began exploiting an authentication bypass vulnerability within the SmarterTools SmarterMail enterprise e-mail and collaboration server roughly two days after patches had been launched, safety researchers warn.
Tracked as CVE-2026-23760 (CVSS rating of 9.3), the safety defect impacts the password reset API of the appliance and permits attackers to reset passwords with out authentication.
The difficulty exists as a result of the force-reset-password operate permits unauthenticated requests containing user-control parameters and doesn’t confirm the previous password or a reset token for administrator accounts.
This permits an attacker who is aware of an administrator’s username to reset the account’s password with out authentication and take management of the weak SmarterMail occasion.
Based on WatchTowr, the flaw will be exploited for distant code execution (RCE) via SmarterMail performance that permits a system administrator to execute working system instructions.
After resetting an admin’s account, the attacker can create a brand new quantity within the settings menu and embrace a command within the Quantity Mount Command discipline. As a result of the command is executed by the underlying OS, the attacker achieves full RCE on the host.Commercial. Scroll to proceed studying.
The authentication bypass challenge was addressed in SmarterMail model 9511, which was launched on January 15.
WatchTowr says it has seen widespread exploitation of CVE-2026-23760 for practically every week and assumes that risk actors have reverse-engineered the repair.
“We’re seeing energetic, widespread exploitation of a brand new bug that obtained a patch lower than every week in the past. The repair has already been reverse-engineered, and exploitation leads straight to full RCE,” WatchTowr founder and CEO Benjamin Harris advised SecurityWeek.
On Thursday, Huntress warned that hackers have been exploiting the appliance’s System Occasions performance in assaults concentrating on the SmarterMail authentication bypass.
The cybersecurity agency noticed risk actors making HTTP POST requests to weak cases to use CVE-2026-23760, receive legitimate entry tokens, configure a malicious System Occasion, add a brand new area to SmarterMail, and carry out clean-up operations.
Seemingly meant for reconnaissance, the malicious System Occasion was triggered by the addition of the brand new area, Huntress says.
Customers ought to replace their SmarterMail cases to a patched launch as quickly as potential.
“Given the severity of this vulnerability, energetic exploitation, and exploitation of the extra CVE-2025-52691 being noticed within the wild, companies ought to prioritize the deployment of SmarterMail updates and assessment any outdated methods for indicators of an infection,” Huntress notes.
Associated: Previous Assault, New Velocity: Researchers Optimize Web page Cache Exploits
Associated: Cisco Patches Vulnerability Exploited by Chinese language Hackers
Associated: Exploit for VMware Zero-Day Flaws Seemingly Constructed a Yr Earlier than Public Disclosure
Associated: Advanced Routing, Misconfigurations Exploited for Area Spoofing in Phishing Assaults
