Ransomware operators are actively exploiting a critical vulnerability in SmarterTools SmarterMail, tracked as CVE-2026-24423, which allows for unauthenticated remote code execution. This flaw, identified in versions prior to build 9511, has a CVSS score of 9.8 and was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on February 5, 2026, just days after its initial disclosure on January 23, 2026.
The vulnerability resides in the ConnectToHub API method, where attackers can direct SmarterMail to a malicious HTTP server. This server then delivers a crafted OS command that the vulnerable system executes, granting attackers the ability to run arbitrary code remotely. The exploitation of this flaw was observed in the wild within just 4.3 days of its disclosure, underscoring the urgency for organizations to patch affected systems.
A proof-of-concept exploit is available, further facilitating the ease with which attackers can leverage this vulnerability. The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.803, indicating a high likelihood of exploitation. Given its critical nature and the known use by ransomware groups, organizations using SmarterMail should prioritize updating to build 9511 or later to mitigate the risk.
Security teams should verify the integrity of their SmarterMail installations and monitor for any signs of compromise. Immediate action is recommended to prevent potential exploitation, as the SSVC decision tree categorizes this vulnerability as requiring urgent attention.
CSURFACE