An authentication bypass vulnerability in SmarterTools’ SmarterMail force-reset-password API allows unauthenticated attackers to reset administrator passwords and obtain full privileges. Researchers reported the flaw and SmarterMail issued a patch on January 15, but evidence shows threat actors began exploiting the issue in the wild soon after the fix was released. #SmarterMail #SmarterTools
Keypoints
- The force-reset-password API in SmarterMail permits unauthenticated password resets for admin accounts.
- The endpoint accepts attacker-controlled JSON, including an ‘IsSysAdmin’ flag, and ignores the ‘OldPassword’ field.
- Successful exploitation allows administrator takeover and SYSTEM-level remote code execution on the host.
- watchTowr reported the issue on January 8; SmarterMail patched it on January 15, and attackers began exploiting it shortly after.
- Administrators should upgrade SmarterMail to Build 9511 immediately to address this flaw and a related CVE-2025-52691 RCE.