Over 6,000 SmarterMail servers exposed on the internet are running vulnerable versions that are at risk of active remote code execution (RCE) attacks.
Security researchers identified the flaws through daily HTTP vulnerability scans, and exploitation attempts have already been observed in the wild.
This represents a significant threat to organizations worldwide relying on SmarterMail for enterprise email operations.
Vulnerability Overview
CVE-2026-23760 is a critical authentication bypass vulnerability in the SmarterMail password reset API affecting all versions prior to Build 9511, released January 15, 2026.
The vulnerability carries a CVSS score of 9.3, indicating extreme risk to affected systems.
The flaw exists in the /api/v1/auth/force-reset-password endpoint, which permits unauthenticated requests without requiring password verification or reset tokens when targeting administrator accounts.
An attacker exploiting this vulnerability can supply any administrator username with a new password, achieving immediate administrative account takeover.
Critically, SmarterMail administrators have built-in functionality that enables direct execution of operating system commands through the Settings interface, effectively elevating the compromise to SYSTEM-level access on the underlying host.
Multiple security organizations have confirmed active exploitation since at least January 17, 2026, just two days after the patch release.
Huntress Labs observed threat actors using the compromised administrator accounts to create malicious System Events configured to execute reconnaissance commands on vulnerable hosts.
The attack chain demonstrates a sophisticated understanding of SmarterMail architecture, with attackers systematically resetting accounts, obtaining authentication tokens, and installing persistent backdoors.
Watchtowr Labs received anonymous reports confirming threat actors exploiting the vulnerability in production environments.
Particularly concerning, given that attackers actively monitor release notes and perform patch diffing to reverse-engineer vulnerabilities.
Shadowserver’s geographically distributed scanning reveals vulnerable instances across multiple continents, though the exact regional breakdown has not been publicly detailed.
The discovery of 6,000 vulnerable IPs underscores the significant attack surface, particularly as many organizations remain unaware of available patches.
SmarterTools strongly recommends updating to the latest build immediately. Organizations should prioritize patching as attackers actively target unpatched instances, with no evidence of slowing exploitation attempts.
Security teams should review administrator account activity logs for unauthorized password resets. Investigate potential web shells or malware installed via exploitation, and confirm system backups remain uncompromised.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
