A critical authentication bypass in SmarterTools’ SmarterMail (tracked as WT-2026-0001) is being actively exploited shortly after a patch, allowing unauthenticated requests to reset any administrator password via the /api/v1/auth/force-reset-password endpoint. The flaw can be chained to achieve SYSTEM-level remote code execution through the product’s Volume Mount Command feature, and watchTowr Labs disclosed the issue following patch release and observed post-patch abuse. #SmarterMail #watchTowrLabs
Keypoints
- An authentication-bypass in the ForceResetPassword endpoint allows unauthenticated admin password resets.
- The IsSysAdmin boolean flag enables a privileged code path that can trivially update administrator credentials.
- Gaining admin access leads to SYSTEM-level RCE via the Volume Mount Command functionality.
- SmarterTools released Build 9511 on Jan 15, 2026 after responsible disclosure, but exploitation was observed two days later.
- Vague release notes raised transparency concerns; SmarterTools’ CEO pledged clearer CVE/email notifications going forward.
Read More: https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html