Critical SmarterMail Flaw Actively Exploited by Ransomware Gangs
▼ Summary
– CISA has added a third SmarterMail vulnerability (CVE-2026-24423) to its Known Exploited Vulnerabilities catalog, noting its use in ransomware attacks.
– This latest flaw is a missing authentication issue in an API that allows unauthenticated attackers to achieve remote code execution on versions before v100.0.9511.
– The vulnerability works by allowing an attacker-controlled server to send commands that the vulnerable SmarterMail server will execute.
– CISA has ordered U.S. federal agencies to patch this vulnerability by February 26, 2026, and users are advised to update to the latest build.
– This follows two other recently cataloged SmarterMail vulnerabilities (CVE-2025-52691 and CVE-2026-23760), which were also analyzed and confirmed to be exploited.
A critical security flaw in the SmarterTools SmarterMail server is now under active exploitation by ransomware groups, prompting urgent warnings from federal cybersecurity authorities. The vulnerability, tracked as CVE-2026-24423, has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, marking the third such SmarterMail flaw flagged in a two-week period. This escalation highlights a concentrated attack campaign targeting the popular email and collaboration platform.
The issue stems from a missing authentication check within SmarterMail’s ConnectToHub API. This oversight allows attackers who are not logged in to execute remote code on vulnerable systems. Specifically, the flaw exists in the `/api/v1/settings/sysadmin/connect-to-hub` endpoint, which fails to verify user identity. An attacker can send a specially crafted POST request to this unsecured API, forcing the server to communicate with a malicious, external hub address under their control.
The attack chain involves the vulnerable server contacting the attacker’s specified address. The malicious server then responds with a JSON object containing a `CommandMount` parameter. This parameter can be manipulated to define and execute arbitrary commands on the SmarterMail server. The vulnerability affects all SmarterMail versions prior to build 100.0.9511, putting a significant number of deployments at immediate risk.
Security researchers from multiple firms, including watchTowr, CODE WHITE GmbH, and VulnCheck, independently discovered and reported the flaw. According to their analysis, the attack is platform-agnostic, meaning the arbitrary command execution works across all operating systems that SmarterMail supports. This broad impact makes the vulnerability particularly attractive to threat actors.
Federal agencies have been directed to patch their systems immediately. CISA has issued a binding operational directive, mandating that all federal civilian executive branch organizations apply the necessary updates by February 26, 2026, to mitigate the threat. For administrators in the private sector and elsewhere, the guidance is equally urgent: apply the latest SmarterMail patch without delay.
Beyond patching, security teams should proactively hunt for signs of compromise. Experts recommend scrutinizing server logs for any suspicious interactions with the vulnerable `/api/v1/settings/sysadmin/connect-to-hub` endpoint. Any unauthorized or unexpected connection attempts to this API could indicate an ongoing or attempted attack. This latest incident follows the recent listing of two other SmarterMail vulnerabilities, CVE-2025-52691 and CVE-2026-23760, in the KEV catalog, confirming a troubling trend of focused exploitation against this software.
(Source: HelpNet Security)
