Two critical vulnerabilities in SmarterTools SmarterMail have been actively exploited by the Warlock ransomware group, leading to significant security breaches. The vulnerabilities, tracked as CVE-2026-23760 and CVE-2026-24423, both carry a CVSS score of 9.8, highlighting their severe impact potential.
CVE-2026-23760 is an authentication bypass flaw in the password reset API of SmarterMail versions prior to build 9511. This vulnerability allows attackers to reset system administrator passwords without needing the existing password or a reset token, effectively granting unauthorized access. The exploit was used in the wild before its disclosure, marking it as a zero-day vulnerability with a TTE of -0.6 days.
CVE-2026-24423, also affecting SmarterMail versions before build 9511, is an unauthenticated remote code execution vulnerability in the ConnectToHub API method. Attackers can exploit this flaw by directing SmarterMail to a malicious HTTP server, which then executes harmful OS commands. This vulnerability was exploited within 4.3 days of its disclosure.
Both vulnerabilities have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, with CVE-2026-23760 listed on January 26, 2026, and CVE-2026-24423 on February 5, 2026. Proof-of-concept exploits are available for both, underscoring the urgency for organizations to patch affected systems immediately.
Administrators are urged to update to SmarterMail build 9511 or later to mitigate these risks. Given the known use of these vulnerabilities by ransomware actors, swift action is critical to prevent further exploitation and potential data breaches.
CSURFACE