SmarterTools SmarterMail business email and collaboration servers are targeted in attacks exploiting another recent critical-severity vulnerability, the US cybersecurity agency CISA warns.
Roughly two weeks ago, security researchers raised the alarm about hackers exploiting an authentication bypass bug in SmarterMail to reset administrator account passwords and take control of vulnerable instances.
Last week, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog along with a second SmarterMail issue exploited in the same campaign.
Now, the cybersecurity agency warns that a third SmarterMail vulnerability, tracked as CVE-2026-24423 (CVSS score of 9.3), has been abused in the wild.
The issue is described as an unauthenticated remote code execution (RCE) flaw via the ConnectToHub API.
Because the API processes requests controlled by a remote server, attackers can define arbitrary command execution parameters that are passed to the endpoint, resulting in command execution on all platforms.
“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application,” a NIST advisory reads.
According to VulnCheck, the root cause of the bug is that the ConnectToHub API “explicitly allows anonymous users and processes JSON data sent in POST requests.”
Attackers can define a mount command with malicious parameters and, upon execution, could escalate privileges on Linux systems, VulnCheck says.
On January 15, SmarterMail build 9511 was released with patches for CVE-2026-24423, as well as for the two SmarterMail defects previously flagged as exploited. Users are advised to update their instances as soon as possible.
On Thursday, CISA added CVE-2026-24423 to the KEV catalog and alerted federal agencies that they should patch it by February 26, warning that it has been exploited by ransomware groups.
The cybersecurity agency slapped a similar patching timeframe to CVE-2025-11953, a critical React Native OS command injection vulnerability that has been exploited in the wild since December.
Related: Concerns Raised Over CISA’s Silent Ransomware Updates in KEV Catalog
Related: Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks
Related: CISA Closes 10 Emergency Directives as Vulnerability Catalog Takes Over
Related: VS Code Configs Expose GitHub Codespaces to Attacks
