Key Takeaways:
- A new security flaw in SmarterTools SmarterMail email software is being actively exploited in the wild, despite a patch being released two days earlier.
- The vulnerability, tracked as WT-2026-0001, allows attackers to reset the SmarterMail system administrator password and gain remote code execution capabilities.
- The issue is rooted in the "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword" function, which lacks proper security controls.
- Attackers can exploit the vulnerability to obtain elevated access, provided they have knowledge of an existing administrator username.
- SmarterTools has released a patch, but the release notes are vague and do not explicitly mention the issues addressed.
- The company plans to change its policy and send emails to administrators when a new CVE is discovered and when a build has been released to resolve the issue.
Introduction to the Vulnerability
The SmarterTools SmarterMail email software has been found to have a new security flaw that is being actively exploited in the wild. The vulnerability, which is tracked by watchTowr Labs as WT-2026-0001, was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026. However, despite the patch being released, attackers have managed to reverse engineer the patches and reconstruct the flaw, allowing them to continue exploiting the vulnerability.
Technical Details of the Vulnerability
The vulnerability is described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint. The problem is rooted in the function "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword," which not only allows the endpoint to be reached without authentication but also leverages the fact that the reset request is accompanied by a boolean flag named "IsSysAdmin" to handle the incoming request depending on whether the user is a system administrator or not. This lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.
Exploitation and Remote Code Execution
The authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell. This can be accomplished by navigating to the Settings page, creating a new volume, and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host’s operating system. The cybersecurity company watchTowr Labs has warned that this vulnerability could be exploited by attackers to gain complete control over the system, making it essential that users of SmarterMail update to the latest version as soon as possible.
Response from SmarterTools
In response to the vulnerability, SmarterTools CEO Tim Uzzanti hinted that the company’s release notes are vague and do not explicitly mention what issues were addressed in order to avoid giving threat actors more ammunition. However, the company plans to change its policy and send emails to administrators when a new CVE is discovered and when a build has been released to resolve the issue. Uzzanti stated that the company has had only a few CVEs in its 23+ years of operation, which were primarily communicated through release notes and critical fix references. The company appreciates the feedback that encouraged this change in policy moving forward.
Update and Additional Information
The vulnerability has been assigned the CVE identifier CVE-2026-23760, with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution. The cybersecurity company also said that CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible. Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection.
Conclusion and Recommendations
In conclusion, the new security flaw in SmarterTools SmarterMail email software is a serious vulnerability that could be exploited by attackers to gain complete control over the system. It is essential that users of SmarterMail update to the latest version as soon as possible and review any outdated systems for signs of infection. The company’s decision to change its policy and send emails to administrators when a new CVE is discovered and when a build has been released to resolve the issue is a step in the right direction. However, it is crucial that the company provides more transparency and detailed information about the vulnerabilities and patches to help users protect themselves against potential attacks.