SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

SmarterTools has released urgent security updates for its SmarterMail email server software, addressing multiple serious vulnerabilities—including a critical flaw that allows unauthenticated remote code execution (RCE).

The most severe issue, tracked as CVE-2026-24423, carries a CVSS score of 9.3, placing it among the highest-risk software vulnerabilities disclosed this year.

Critical RCE Flaw Enables Remote Attacks

According to the vulnerability disclosure, affected versions of SmarterMail prior to Build 9511 contain a flaw in the ConnectToHub API method that can be exploited without authentication. An attacker can configure the application to connect to a malicious HTTP server, which then delivers operating system commands that are executed by the SmarterMail service.

This vulnerability could allow remote attackers to take full control of a vulnerable mail server, potentially leading to data theft, service disruption, or further lateral movement within enterprise networks.

Security researchers from watchTowr, CODE WHITE GmbH, and VulnCheck were credited with identifying and responsibly reporting the issue.

Additional Actively Exploited Vulnerability Fixed

The same update, released on January 15, 2026, also addressed another critical flaw, CVE-2026-23760, which shares the same CVSS score of 9.3. This vulnerability has already been observed under active exploitation, significantly increasing the urgency for administrators to apply the patch.

NTLM Relay Risk Through Path Coercion

In a subsequent release, SmarterTools also resolved a medium-severity vulnerability that could enable NTLM relay attacks and unauthorized authentication attempts on Windows environments.

Tracked as CVE-2026-25067 with a CVSS score of 6.9, the issue stems from unauthenticated path coercion in the “background-of-the-day” preview feature. The application decodes attacker-controlled input and uses it as a filesystem path without proper validation.

On Windows systems, this behavior can force the SmarterMail service to initiate outbound SMB authentication requests to attacker-controlled servers. Such behavior can be abused to harvest credentials or relay NTLM authentication, potentially enabling further network compromise.

This flaw was patched in Build 9518, released on January 22, 2026.

Immediate Action Strongly Recommended

With multiple SmarterMail vulnerabilities exploited in the wild over a short period, security experts strongly recommend that organizations upgrade to the latest available build immediately. Unpatched email servers remain a high-value target for attackers due to their exposure, access to sensitive communications, and integration with internal networks.

Administrators are also advised to review server logs, restrict external access where possible, and monitor for suspicious outbound authentication attempts.