Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Home/Vulnerabilities/Attackers Reverse‑Engineer Patch to Exploit SmarterMail Admin Bypass in the Wild
Vulnerabilities

Attackers Reverse‑Engineer Patch to Exploit SmarterMail Admin Bypass in the Wild

A critical authentication bypass vulnerability impacting SmarterTools SmarterMail is actively exploited by attackers in the wild, security researchers at watchTowr Labs report. The vulnerability,...

David kimber
David kimber
January 22, 2026 3 Min Read
33 0

A critical authentication bypass vulnerability impacting SmarterTools SmarterMail is actively exploited by attackers in the wild, security researchers at watchTowr Labs report.

The vulnerability, tracked as WT-2026-0001, allows unauthenticated attackers to reset the system administrator password without any validation, leading to complete system takeover.

The flaw exists in the ForceResetPassword API endpoint, which is designed to handle legitimate password reset scenarios.

However, the endpoint is exposed without authentication and contains a critical design flaw: it accepts a user-controlled parameter, IsSysAdmin, that branches the code logic to different password reset procedures.

smartermail release notes ( source : watchtowr labs)
smartermail release notes ( source : watchtowr labs)

When an attacker sets IsSysAdmin to “true,” the application attempts to reset the password of an administrator account. Critically, the implementation fails to validate the existing password before allowing the reset.

That is performed for regular user accounts but mysteriously omitted for administrators; this inconsistency is the heart of the vulnerability.

The attack requires only three pieces of information sent via a simple HTTP POST request:

The force-reset-password endpoint implicated in WT-2026-0001 ( source : watchtowr labs)
The force-reset-password endpoint implicated in WT-2026-0001 ( source: watchtowr labs)

The administrator username (commonly “admin”), a new password of the attacker’s choosing, and the IsSysAdmin flag. The old password field is ignored entirely for admin accounts.

POST /api/v1/auth/force-reset-password HTTP/1.1
Host: xxxxxxx:9998
Content-Type: application/json
Content-Length: 145

{"IsSysAdmin":"true",
"OldPassword":"watever",
"Username":"admin",
"NewPassword":"NewPassword123!@#",
"ConfirmPassword": "NewPassword123!@#"}

Active Exploitation Confirmed

Patch diffing, where attackers decompile security patches to identify and understand vulnerabilities, played a key role in this threat.

SmarterMail released version 9511 on January 15, 2026, just six days after the vulnerability was discovered.

Full remote code execution achieved ( source : watchtowr labs)
Full remote code execution achieved (source: Watchtower Labs)

Attackers analyzed the patch, reverse-engineered the vulnerability, and began exploitation attempts within 48 hours of the release.

A SmarterMail forum post from January 17 confirmed that exploitation attempts had already occurred in the wild.

Once authenticated as an administrator, attackers gain access to a built-in feature that amplifies the impact: The ability to create volume mounts with arbitrary operating system commands.

These commands execute with SYSTEM-level privileges, providing complete remote code execution on the server.

PoC achieving a SYSTEM-level shell ( source : watchtowr labs)
PoC achieving a SYSTEM-level shell (source: watchtowr labs)

This two-stage attack chain, which bypasses authentication and then executes commands through legitimate administrative features, transforms a password reset flaw into a complete system compromise.

WatchTowr Labs advises organizations using SmarterMail to upgrade immediately to version 9511.

The patch adds proper password validation to the administrator reset path, preventing the exploit. Delaying this update exposes systems to active threat actor campaigns seeking vulnerable instances.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Researchers Detailed r1z Initial Access Broker OPSEC Failures

Next Post

Hackers Earned $516,500 for 37 Unique 0-day Vulnerabilities – Pwn2Own Automotive 2026

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us