THREAT actors began exploiting an authentication bypass vulnerability in SmarterTools SmarterMail, tracked as CVE-2026-23760 (CVSS 9.3), roughly two days after patches were released. The flaw affects the password reset API and enables attackers to reset an administrator’s password without authentication, potentially gaining full control of the SmarterMail instance, with remote code execution possible via functionality that allows system administrators to run OS commands.
Security researchers note that exploitation has been widespread for nearly a week, and that threat actors can obtain valid access tokens, configure a malicious System Event, add a new domain, and carry out cleanup operations to achieve full RCE. The authentication bypass issue was addressed in SmarterMail version 9511, released on 15 January 2026, and WatchTowr says the fix has already been reverse‑engineered.
Huntress warns that attackers are targeting the System Events feature in attacks against CVE-2026-23760, urging users to update to patched releases and review systems for signs of infection.