6,000+ SmarterMail Servers Vulnerable to Hijacking
▼ Summary
– Over 6,000 SmarterMail servers are exposed online and likely vulnerable to a critical authentication bypass flaw (CVE-2026-23760).
– The vulnerability allows unauthenticated attackers to reset admin passwords and gain full control of the server for remote code execution.
– Multiple researchers have confirmed thousands of vulnerable instances, with evidence of mass, automated exploitation in the wild.
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its list of actively exploited vulnerabilities.
– CISA has ordered federal agencies to patch their systems within three weeks due to the significant risk posed.
A significant security threat has emerged for organizations using SmarterMail email servers, with thousands of systems currently exposed to a critical vulnerability that allows complete takeover. Security researchers have identified over six thousand servers that are likely vulnerable to an authentication bypass flaw, enabling attackers to hijack administrator accounts and execute remote code. This vulnerability, tracked as CVE-2026-23760, poses a severe risk to any unpatched installation.
The issue was initially reported to the developer, SmarterTools, by cybersecurity firm watchTowr in early January. A fix was released on January 15th, but the flaw was not assigned an official identifier until later. The vulnerability exists in versions of SmarterMail prior to build 9511. It specifically affects the password reset API, where the force-reset-password endpoint fails to properly verify requests. This allows an unauthenticated attacker to reset an administrator’s password by simply supplying the username and a new password, leading to full administrative control of the email server instance.
watchTowr’s discovery came just two weeks after they found another critical pre-authentication vulnerability in the same software, identified as CVE-2025-52691, which also enabled remote code execution. The nonprofit security organization Shadowserver has been actively scanning for vulnerable systems. Their data shows more than 6,000 SmarterMail servers are likely vulnerable, with the majority located in North America and a significant number in Asia. Independent scans by a Macnica threat researcher suggest an even higher figure, finding over 8,550 vulnerable instances.
Evidence indicates that malicious actors are already exploiting this flaw in widespread attacks. watchTowr was alerted to active exploitation in the wild on January 21st, a detail confirmed the following day by cybersecurity firm Huntress. The attacks appear to be automated and mass-scale. In response to the active threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited flaws. CISA has mandated that all federal civilian agencies apply the vendor-provided patches by February 16th to secure their systems.
Administrators are urged to immediately update their SmarterMail installations to build 9511 or later. CISA’s guidance stresses that such vulnerabilities are common vectors for cyberattacks and carry substantial risk. The agency advises applying all vendor mitigations, following established security guidance for cloud services, or discontinuing use of the product if patches cannot be applied. This incident follows another recent warning from Shadowserver regarding nearly 800,000 IP addresses exposed due to a separate critical flaw in a Telnet server, highlighting the persistent danger of authentication bypass vulnerabilities across internet-facing services.
(Source: Bleeping Computer)
