A privilege escalation vulnerability (CVE-2026-23760) in SmarterTool’s SmarterMail allowed attackers to take over privileged accounts and achieve remote code execution; users should upgrade to Build 9511 released January 15, 2026. Huntress observed mass automated exploitation using HTTP POST requests to SmarterMail API endpoints and malicious System Events configured to run reconnaissance commands. #SmarterMail #CVE-2026-23760
Keypoints
- CVE-2026-23760 in SmarterMail allowed privileged account takeover and remote code execution; versions prior to Build 9511 are vulnerable.
- Huntress observed in-the-wild, mass automated exploitation using HTTP POST requests across multiple customers.
- Attackers exploited the /api/v1/auth/force-reset-password flow to change a privileged user’s password without validating the old password.
- Hijacked privileged accounts were used to create malicious System Events that executed reconnaissance commands when a new domain was added.
- Observed attack lifecycle included authentication, event-hook creation, domain addition to trigger execution, and cleanup via domain-delete and event-hook-delete.
- Indicators include a set of source IPs, the python-requests/2.32.4 user-agent, and a result.txt file containing reconnaissance output; organizations are urged to update and audit systems.
MITRE Techniques
- [T1098 ] Account Manipulation – Exploited the password reset flow to change a privileged user’s password without validating the old password (‘POST /api/v1/auth/force-reset-password Exploits the account takeover vulnerability to gain access to a privileged user account.’).
- [T1078 ] Valid Accounts – Used hijacked privileged credentials to obtain valid access tokens and authenticate to the application (‘POST /api/v1/auth/authenticate-user Obtains a valid access token with the privileged user’s credentials.’).
- [T1190 ] Exploit Public-Facing Application – Leveraged HTTP POST requests to SmarterMail API endpoints to exploit the application and achieve code execution (‘A review of the relevant application logs on exploited hosts has shown that the threat actor(s) made a series of HTTP POST requests to the SmarterMail application to achieve their objectives.’).
- [T1546 ] Event Triggered Execution – Created malicious System Events that were configured to run the actor’s reconnaissance commands when a new domain was added (‘We suspect that the System Event was configured to execute the threat actor’s reconnaissance command(s) when a new domain was added to the SmarterMail application.’).
- [T1082 ] System Information Discovery – Executed reconnaissance commands and stored output locally for collection (‘C:Program Files (x86)SmarterToolsSmarterMailServicewwwrootresult.txt File containing output of reconnaissance.’).
- [T1070 ] Indicator Removal on Host – Performed cleanup actions to remove indicators, including deleting domains and System Events (‘POST /api/v1/settings/sysadmin/domain-delete/google.abc[.]com/true Clean-up activities as a part of indicator removal.’ / ‘POST /api/v1/settings/sysadmin/event-hook-delete Clean-up activities as a part of indicator removal.’).
Indicators of Compromise
- [IP Addresses ] Source of attacks – 142.111.152[.]57, 155.2.215[.]66, and other 26 IPs observed as the source of the attacks.
- [User-Agent ] Observed conducting the attacks – python-requests/2.32.4 (default Python requests user-agent used by the attacker).
- [File ] Reconnaissance output file – C:Program Files (x86)SmarterToolsSmarterMailServicewwwrootresult.txt (file containing output of reconnaissance).
- [API Endpoints ] POST requests observed during exploitation – /api/v1/auth/force-reset-password, /api/v1/settings/sysadmin/event-hook, and other 4 endpoints (e.g., /api/v1/auth/authenticate-user, /api/v1/settings/sysadmin/domain-put, /api/v1/settings/sysadmin/domain-delete/google.abc[.]com/true, /api/v1/settings/sysadmin/event-hook-delete).
Read more: https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce