SmarterMail Flaw Lets Attackers Hijack Admin Accounts
▼ Summary
– An authentication bypass vulnerability in SmarterMail allows attackers to reset the system administrator password without authentication via a specific API endpoint.
– The flaw is now being actively exploited in the wild, with evidence of attacks starting just two days after a patch was released.
– Exploiting this vulnerability grants attackers admin privileges, leading to full remote code execution on the host system.
– The vulnerability was reported by researchers on January 8, patched by SmarterTools on January 15, and later assigned the identifier CVE-2026-23760.
– Users are strongly recommended to upgrade to SmarterMail Build 9511 to protect against this critical security flaw.
A critical security flaw in the SmarterMail email server platform is now being actively exploited, allowing attackers to completely hijack administrator accounts. This vulnerability, which bypasses authentication, enables unauthorized individuals to reset the system administrator password and gain full control over the server. The issue stems from a specific API endpoint that was intentionally left exposed without any security checks, making it a prime target for malicious actors.
Cybersecurity researchers identified the problem earlier this month, and the software’s developer, SmarterTools, released a fix on January 15th. However, evidence shows that threat actors began exploiting the vulnerability just two days after the patch was issued. This rapid turnaround strongly suggests that hackers successfully reverse-engineered the security update to understand and weaponize the underlying weakness.
SmarterMail is a widely used, self-hosted Windows platform that provides email, webmail, calendars, and collaboration tools. It is a popular choice for managed service providers, hosting companies, and small to medium-sized businesses globally, with the vendor claiming millions of users across numerous countries. The flaw specifically targets the platform’s administrative functions, leaving regular user accounts unaffected.
The vulnerability exists within the ‘force-reset-password’ API endpoint. This function accepts JSON input from a user without verifying their identity. A key property within this input, ‘IsSysAdmin’, can be manipulated by an attacker. If this property is set to ‘true’, the system executes its administrator password reset logic. Crucially, the process does not validate the old password or perform any other security controls, despite the presence of an ‘OldPassword’ field in the request.
This design oversight means that anyone who can determine or guess an administrator username can set a new password and seize control of that account. With administrative access, an attacker gains the ability to run operating system commands on the host server, effectively achieving full remote code execution. Researchers have demonstrated a proof-of-concept exploit that provides SYSTEM-level shell access, the highest level of privilege on a Windows machine.
Evidence of active exploitation emerged from an anonymous tipster who reported that administrator passwords were being reset. This claim was corroborated by forum posts and server logs that clearly showed attacks targeting the vulnerable ‘force-reset-password’ endpoint. This discovery follows another recent, critical pre-authentication remote code execution flaw found in the same software just weeks prior.
All users of SmarterMail are urged to immediately update to Build 9511, released on January 15th, which addresses this and the previous security issue. The vulnerability has since been formally assigned the identifier CVE-2026-23760 and is rated as critical with a high CVSS score. Independent security firms have also published reports confirming the ongoing exploitation of this flaw in real-world attacks.
(Source: Bleeping Computer)
