CISA Alerts: SmarterMail RCE Flaw Actively Exploited in Ransomware
▼ Summary
– CISA warns that ransomware actors are actively exploiting a critical, unauthenticated remote code execution vulnerability (CVE-2026-24423) in SmarterMail email server software.
– The vulnerability affects SmarterMail versions before Build 9511 and allows attackers to execute commands by redirecting the instance to a malicious server via the ConnectToHub API.
– SmarterTools patched the flaw on January 15, 2024, and CISA has added it to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply updates by February 26, 2026.
– Researchers also discovered a separate, unpatched authentication bypass flaw (WT-2026-0001) that allows unauthorized password resets and has been exploited by hackers.
– Administrators are urged to update to the latest SmarterMail build (currently 9526) as the vendor has fixed multiple critical security flaws since the initial patch.
A critical security flaw in the SmarterMail email server platform is now being actively used by ransomware groups, prompting an urgent warning from federal cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability, tracked as CVE-2026-24423, to its Known Exploited Vulnerabilities catalog, confirming its active exploitation. This issue allows attackers to execute arbitrary commands on unpatched systems without needing any login credentials, posing a severe risk to organizations using the software.
SmarterMail is a widely used, self-hosted email and collaboration suite developed by SmarterTools. Running on Windows servers, it provides comprehensive mail services alongside webmail, shared calendars, contact management, and other groupware features. The platform is particularly popular with managed service providers (MSPs), hosting companies, and small to medium-sized businesses. The vendor reports its products serve an estimated 15 million users globally.
The specific flaw exists in versions of SmarterMail released before build 9511. It involves a missing authentication check in the ConnectToHub API method. This weakness enables an attacker to redirect the SmarterMail instance to a malicious server under their control. That server can then deliver a harmful operating system command, leading directly to remote code execution on the vulnerable host.
Security research teams from watchTowr, CODE WHITE, and VulnCheck identified and responsibly reported this vulnerability to SmarterTools. The vendor addressed the issue with the release of build 9511 on January 15. However, the window for attackers was not closed for long. Shortly after this patch was issued, watchTowr researchers uncovered a separate, related authentication bypass flaw. This second vulnerability, internally labeled WT-2026-0001, allows an attacker to reset the administrator password without any verification.
Evidence suggests this secondary flaw was exploited by malicious actors almost immediately. Researchers point to anonymous tips, specific log entries on compromised systems, and network traffic hitting endpoints that align perfectly with the vulnerable code path as proof of in-the-wild attacks.
In response to the ongoing threat, CISA has issued a binding directive. All federal civilian executive branch agencies, along with any organizations bound by Binding Operational Directive 22-01, must apply the available security updates or implement the vendor’s recommended mitigations. If they cannot do so, they are required to discontinue using the affected SmarterMail products by the deadline of February 26, 2026.
System administrators are strongly advised to move beyond the initial patch. Since the January fix, SmarterTools has released additional updates that resolve other critical security issues. The current recommended build is 9526, which was published on January 30. Applying this latest version is the most effective step to secure email servers against these known and actively exploited threats.
(Source: Bleeping Computer)
