SmarterMail's Critical Unauthenticated RCE Flaw Fixed with CVSS 9.3 Score
Ravie Lakshmanan, Jan 30, 2026
SmarterTools has addressed three security vulnerabilities in its SmarterMail email software, including a critical flaw that could lead to arbitrary code execution. The vulnerability, CVE-2026-24423, has a CVSS score of 9.3 out of 10.0, making it a high-risk issue.
The flaw allows an attacker to exploit the ConnectToHub API method in SmarterMail versions prior to build 9511. By pointing the SmarterMail to a malicious HTTP server, the attacker can execute arbitrary OS commands, posing a significant security threat. Researchers Sina Kheirkhah, Piotr Bazydlo, Markus Wulftange, and Cale Black were credited with discovering and reporting this vulnerability.
In addition to this critical flaw, SmarterTools has also patched another critical vulnerability (CVE-2026-23760) with a CVSS score of 9.3, which was being actively exploited. This vulnerability allowed for authentication bypass, further emphasizing the importance of timely updates.
Furthermore, the company addressed a medium-severity vulnerability (CVE-2026-25067) with a CVSS score of 6.9, which could enable NTLM relay attacks and unauthorized network authentication. This flaw was related to unauthenticated path coercion in the background-of-the-day preview endpoint.
The vulnerabilities were patched in Build 9511 and Build 9518, respectively, released on January 15 and January 22, 2026. With these critical issues now resolved, users are urged to update their SmarterMail software as soon as possible to ensure their email security.
