The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that ransomware actors are exploiting CVE-2026-24423, a critical vulnerability in SmarterMail that allows remote code execution without authentication.
SmarterMail is a self-hosted, Windows-based email server and collaboration platform from SmarterTools. The product provides SMTP/IMAP/POP mail services along with webmail, calendars, contacts, and basic groupware functionality.
It is commonly deployed by managed service providers (MSPs), small and medium-sized businesses, and hosting companies offering email services. According to SmarterTools, its products are used by roughly 15 million users across 120 countries.
The CVE-2026-24423 flaw affects SmarterTools SmarterMail versions prior to build 9511, and successful exploitation can lead to remote code execution (RCE) via the ConnectToHub API.
The vulnerability was discovered and disclosed responsibly to SmarterTools by security researchers at watchTowr, CODE WHITE, and VulnCheck cybersecurity companies.
The vendor fixed the flaw on January 15 in SmarterMail Build 9511.
CISA has now added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and marked it as actively exploited in ransomware campaigns.
“SmarterTools SmarterMail contains a missing authentication for a critical function vulnerability in the ConnectToHub API method,” the government agency warns.
“This could allow the attacker to point the SmarterMail instance to a malicious HTTP server that serves the malicious OS command and could lead to command execution.”
CISA has given federal agencies and entities with obligations under BOD 22-01 guidance to either apply the security updates and vendor-suggested mitigations or stop using the product by February 26, 2026.
Around the same time that SmarterTools patched CVE-2026-24423, watchTowr researchers discovered another authentication bypass flaw, internally tracked as WT-2026-0001.
The flaw, which has no identification number, permits resetting the administrator password without any verification and has been exploited by hackers shortly after the vendor released a patch.
The researchers base this on anonymous tips, specific calls in the logs of compromised systems, and endpoints that exactly match the vulnerable code path.
Since then, SmarterMail has fixed additional security flaws rated “critical,” so it is recommended that system administrators update to the most recent build, currently 9526, released on January 30.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
