CISA warns of SmarterMail RCE flaw used in ransomware attacks - BleepingComputer

CISA warns of SmarterMail RCE flaw used in ransomware attacks By Bill Toulas February 6, 2026 12:16 PM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that ransomware actors are exploiting CVE-2026-24423, a critical vulnerability in SmarterMail that allows remote code execution without authentication. SmarterMail is a self-hosted, Windows-based email server and collaboration platform from SmarterTools. The product provides SMTP/IMAP/POP mail services along with webmail, calendars, contacts, and basic groupware functionality. It is commonly deployed by managed service providers (MSPs), small and medium-sized businesses, and hosting companies offering email services. According to SmarterTools, its products are used by roughly 15 million users across 120 countries. The CVE-2026-24423 flaw affects SmarterTools SmarterMail versions prior to build 9511, and successful exploitation can lead to remote code execution (RCE) via the ConnectToHub API. The vulnerability was discovered and disclosed responsibly  to SmarterTools by security researchers at watchTowr, CODE WHITE, and VulnCheck cybersecurity companies. The vendor fixed the flaw on January 15 in SmarterMail Build 9511. CISA has now added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and marked it as actively exploited in ransomware campaigns. “SmarterTools SmarterMail contains a missing authentication for a critical function vulnerability in the ConnectToHub API method,” the government agency warns. “This could allow the attacker to point the SmarterMail instance to a malicious HTTP server that serves the malicious OS command and could lead to command execution.” CISA has given federal agencies and entities with obligations under BOD 22-01 guidance to either apply the security updates and vendor-suggested mitigations or stop using the product by February 26, 2026. Around the same time that SmarterTools patched CVE-2026-24423, watchTowr researchers discovered another authentication bypass flaw, internally tracked as WT-2026-0001. The flaw, which has no identification number, permits resetting the administrator password without any verification and has been exploited by hackers shortly after the vendor released a patch. The researchers base this on anonymous tips, specific calls in the logs of compromised systems, and endpoints that exactly match the vulnerable code path. Since then, SmarterMail has fixed additional security flaws rated “critical,” so it is recommended that system administrators update to the most recent build, currently 9526, released on January 30. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Ransomware gang exploits Cisco flaw in zero-day attacks since January CISA gives feds four days to patch Ivanti flaw exploited as zero-day Ivanti warns of new EPMM flaw exploited in zero-day attacks Ivanti fixes EPMM zero-days chained in code execution attacks Palo Alto Networks firewall zero-day exploited for nearly a month