For the third time in two weeks, CISA added a vulnerability (CVE-2026-24423) affecting SmarterTools’ SmarterMail email and collaboration server to its Known Exploited Vulnerabilities catalog, and this one is being exploited in ransomware attacks.
A glut of SmarterMail vulnerabilities
On January 26, the US cybersecurity agency listed CVE-2025-52691 (a unrestricted upload of file with dangerous type vulnerability) and CVE-2026-23760 (an authentication bypass flaw) affecting SmarterMail in the KEV catalog.
WatchTowr researchers analyzed and shared technical details of both vulnerabilities, and in-the-wild exploitation of the latter was soon confirmed by several security companies.
About CVE-2026-24423
CVE-2026-24423, which was indepentently reported by Sina Kheirkhah and Piotr Bazydlo of watchTowr, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck, stems from missing authentication for a critical function – SmarterMail’s ConnectToHub API.
It affects SmarterMail versions before v100.0.9511, allowing unauthenticated attackers to achieve remote code execution by sending a specially crafted POST request that will be executed by the vulnerable application.
“The vulnerable API endpoint (/api/v1/settings/sysadmin/connect-to-hub) does not require authentication and configures the mounted path of the server. This mount command is controlled by the remote server, and arbitrary commands are defined as helpers to mount on all supported platforms,” Black explained.
The connect-to-hub endpoint processes remote addresses in the hubAddress parameter and requests /web/api/node-management/setup-initial-connection (or in older versions, /web/api/hub-connection/setup-initial-connection) on the attacker-controlled server. The server then responds with a JSON object that includes the CommandMount parameter, which will allow the adversary to define arbitrary command execution parameters and, if the parameter checks are satisfied, will execute commands on all platforms.
He advised users to update to the latest SmarterMail build available and enterprise defenders to look into the logs for suspicious interactions with the unsecured endpoint.
The US Cybersecurity and Infrastructure Security Agency ordered US federal civilian agencies to address the vulnerability by February 26, 2026.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
