SMARTERTOOLS has fixed two security flaws in SmarterMail, including a critical unauthenticated remote code execution vulnerability tracked as CVE-2026-24423 with a CVSS score of 9.3, according to CVE[.]org. The description notes that SmarterMail versions before build 9511 contain the vulnerability in the ConnectToHub API method, which could allow an attacker to point SmarterMail at a malicious HTTP server and have an OS command executed by the vulnerable application.
The fixes are included in Build 9511, released on 15 January 2026, with the same build also addressing another critical flaw CVE-2026-23760 that has been exploited in the wild. In addition, SmarterTools has released fixes for CVE-2026-25067 (CVSS 6.9), which could enable NTLM relay attacks via unauthenticated path coercion in the background-of-the-day endpoint, patched in Build 9518 on 22 January 2026. The disclosures credit researchers from watchTowr, CODE WHITE GmbH, and VulnCheck for discovering and reporting the vulnerabilities.