SMARTERTOOLS has fixed two security bugs in its SmarterMail email software, including a critical vulnerability tracked as CVE-2026-24423 with a CVSS of 9.3 that could let attackers execute arbitrary code on affected systems.
According to SmarterTools, SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method, where an attacker could point the SmarterMail to a malicious HTTP server and have the malicious OS command executed by the vulnerable application.
The flaw, along with CVE-2026-23760 (also CVSS 9.3), is described as an authentication bypass that could allow an unauthenticated attacker to hijack administrator accounts and achieve remote code execution, potentially taking full control of vulnerable servers.
Shadowserver has reported that over 6,000 SmarterMail servers appear exposed online and likely vulnerable, with exploitation attempts observed in the wild, while watchTowr disclosed the vulnerability on 8 January and SmarterTools addressed it on 15 January without assigning a CVE at that time. In response, CISA added CVE-2026-23760 to its Known Exploited Vulnerabilities catalog with a February 16, 2026 deadline for addressed systems.