Threat actors began exploiting an authentication bypass in SmarterTools SmarterMail roughly two days after patches were released, allowing unauthenticated password resets of administrator accounts and takeover of vulnerable instances. The flaw (CVE-2026-23760) can lead to full remote code execution via the Volume Mount Command and has seen widespread exploitation after the fix was reverse-engineered. #SmarterMail #CVE202623760
Keypoints
- An authentication bypass in SmarterMailβs password reset API (CVE-2026-23760) lets attackers reset admin passwords without authentication.
- After taking over an admin account, attackers can achieve full RCE by embedding commands in the Volume Mount Command field.
- The vulnerability was patched in SmarterMail version 9511 on January 15, but the fix was quickly reverse-engineered and widely exploited.
- Huntress observed abuse of System Events and domain additions to trigger malicious actions and perform reconnaissance.
- Administrators should update to the patched release immediately and inspect systems for signs of compromise, especially related to CVE-2025-52691.
Read More: https://www.securityweek.com/fresh-smartermail-flaw-exploited-for-admin-access/