CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterMailβs ConnectToHub API. SmarterTools released fixes (build 9511 and later build 9526) after disclosures and an additional admin-password bypass (WT-2026-0001) was observed, and agencies must patch or stop using the product by February 26, 2026. #SmarterMail #CVE-2026-24423
Keypoints
- CVE-2026-24423 permits unauthenticated remote code execution in SmarterMail via the ConnectToHub API.
- CISA added the vulnerability to its KEV catalog and reports it is being actively exploited in ransomware campaigns.
- SmarterTools patched the flaw in build 9511 (Jan 15) and released additional fixes in build 9526 (Jan 30); administrators should update immediately.
- Researchers at watchTowr, CODE WHITE, and VulnCheck disclosed the issue, and a separate admin-password bypass tracked as WT-2026-0001 was also exploited.
- Federal agencies under BOD 22-01 must apply updates or discontinue SmarterMail use by February 26, 2026.