Actively Exploited RCE Hits 6 Vulnerable SmarterTools

Active remote code execution (RCE) attacks pose an immediate threat to over 6,000 SmarterMail servers. These internet-exposed instances operate vulnerable software versions, leaving them open to compromise.

Security researchers identified the flaws through daily HTTP vulnerability scans, and exploitation attempts have already been observed in the wild.

This represents a significant threat to organizations worldwide relying on SmarterMail for enterprise email operations.​

Vulnerability Overview

CVE-2026-23760 is a critical authentication bypass vulnerability in the SmarterMail password reset API affecting all versions prior to Build 9511, released January 15, 2026.

The vulnerability carries a CVSS score of 9.3, indicating extreme risk to affected systems.

The flaw exists in the /api/v1/auth/force-reset-password endpoint, which permits unauthenticated requests without requiring password verification or reset tokens when targeting administrator accounts.

An attacker exploiting this vulnerability can supply any administrator username with a new password, achieving immediate administrative account takeover.

Critically, SmarterMail administrators have built-in functionality that enables direct execution of operating system commands through the Settings interface, effectively elevating the compromise to SYSTEM-level access on the underlying host.

Multiple security organizations have confirmed active exploitation since at least January 17, 2026, just two days after the patch release.

Huntress Labs observed threat actors using the compromised administrator accounts to create malicious System Events configured to execute reconnaissance commands on vulnerable hosts.

The attack chain demonstrates a sophisticated understanding of SmarterMail architecture, with attackers systematically resetting accounts, obtaining authentication tokens, and installing persistent backdoors.

Watchtowr Labs received anonymous reports confirming threat actors exploiting the vulnerability in production environments.

Particularly concerning, given that attackers actively monitor release notes and perform patch diffing to reverse-engineer vulnerabilities.​

Shadowserver’s geographically distributed scanning reveals vulnerable instances across multiple continents, though the exact regional breakdown has not been publicly detailed.

The discovery of 6,000 vulnerable IPs underscores the significant attack surface, particularly as many organizations remain unaware of available patches.​

SmarterTools strongly recommends updating to the latest build immediately. Organizations should prioritize patching as attackers actively target unpatched instances, with no evidence of slowing exploitation attempts.

Security teams should review administrator account activity logs for unauthorized password resets. Investigate potential web shells or malware installed via exploitation, and confirm system backups remain uncompromised.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.