SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release - The Hacker News

SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release Ravie LakshmananJan 22, 2026Vulnerability / Email Security A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026. Markus Wulftange of CODE WHITE GmbH, the finder has also been credited with reporting the same flaw. It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint. "The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands," watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said. The problem is rooted in the function "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword," which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named "IsSysAdmin" to handle the incoming request depending on whether the user is a system administrator or not. In case the flag is set to "true" (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions - Obtain the configuration corresponding to the username passed as input in the HTTP request Create a new system administrator item with the new password Update the administrator account with the new password In other words, the privileged path is configured such that it can trivially update an administrator user's password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username. It doesn't end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell. This can be accomplished by navigating to the Settings page, creating a new volume, and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host's operating system. The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same "force-reset-password" endpoint to change the password on January 17, 2026, two days after the release of the patch. This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw. To make matters worse, it doesn't help that SmarterMail's release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions "IMPORTANT: Critical security fixes." In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue. "In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references," Uzzanti said in response to transparency concerns raised by its customers. "We appreciate the feedback that encouraged this change in policy moving forward." When reached for comment, SmarterTools told The Hacker News that it released a fix for the vulnerability on January 15, 2026, adding it sent out notifications to all customers, asking them to update to the latest version. "At the time of that release, we did notify all SmarterMail customers that a new version was released that fixed a critical security issue, and we strongly urged them to upgrade," Derek Curtis, chief operating officer at SmarterTools, said. "As we don't manage installations ourselves – our SmarterMail software is on-premises – we have to rely on customers to read our notifications, then upgrade as soon as they feel it's prudent to do so." The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution. Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution. The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible. Jai Minton, senior manager of detection engineering and threat hunting at Huntress, told The Hacker News that CVE-2025-52691 is being exploited to deliver low sophistication web shells and "suspected loaders of malware written to Startup directories in order to achieve persistence and execution when the system is restarted." Minton also stated that all the IP addresses attempting to exploit CVE-2026-23760 are tied to virtual infrastructure in the U.S., and that the exact origin of the attacks is unknown. As for attribution, there is no evidence to suggest either vulnerabilities being exploited are tied to any particular threat actor. "Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection," it added. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026. (The story was updated after publication on January 27, 2026, to reflect the latest developments.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Authentication bypass, cybersecurity, email security, enterprise security, privilege escalation, remote code execution, Vulnerability Trending News TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance