← Back to articles
Security· 2 min read

CVE-2026-24423: SmarterMail authentication bypass exploited by ransomware

What CVE-2026-24423 is

CVE-2026-24423 is a critical unauthenticated remote code execution (RCE) vulnerability in SmarterMail, the mail server from SmarterTools. The flaw sits in the ConnectToHub API endpoint (/api/v1/settings/sysadmin/connect-to-hub), which is explicitly declared anonymous (AllowAnonymous = true). In plain terms, any remote attacker with no credentials or privileges can invoke it.

The root cause is an authentication bypass combined with unsafe deserialization. The attacker sends a POST request with a hubAddress parameter pointing to a server they control. SmarterMail then contacts that server and requests /web/api/node-management/setup-initial-connection. The attacker’s server replies with a JSON object containing a CommandMount parameter; the application runs it through MountConfiguration.Mount() and hands it to CommandLine.RunCommand(), which executes arbitrary operating-system commands: cmd.exe /c <command> on Windows and /bin/bash -c <command> on Linux/macOS. On Linux, the flow also opens the door to privilege escalation via sudo.

Who is affected and how severe it is

Every SmarterMail build prior to v100.0.9511 is affected. A mail server is internet-facing by design, so the attack surface is huge: any publicly reachable, unpatched instance can be fully compromised remotely without a single user click.

The severity is critical. Mass exploitation started around January 28, 2026; watchTowr researchers counted more than 1,000 exploitation attempts from roughly 60 distinct attacker IP addresses in just two weeks. This is no paper threat: ransomware operators worked it hard, and the vendor itself, SmarterTools, was breached by the Storm-2603 group. A public proof of concept shows command execution on both Windows and Linux.

With real ransomware activity on the table, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered US federal agencies to patch by February 26, 2026.

Mitigation and patch

The fix ships in SmarterMail Build v100.0.9511, released on January 15, 2026. The first thing to do, and the urgent one, is update now to that version or later.

A few more steps:

  • If you can’t patch right away, restrict access to the admin interface and the ConnectToHub endpoint with firewall or reverse-proxy rules, allowing only trusted addresses.
  • Check server logs for requests to the connect-to-hub endpoint and for odd outbound connections to external hosts, both of which point to exploitation attempts.
  • Assume compromise if your instance was exposed and unpatched since late January: hunt for ransomware indicators, new accounts, and scheduled tasks you don’t recognize.
  • On Linux deployments, review the service’s sudo configuration to cap the damage from any command execution.

Locking down process isolation for the mail server and applying mandatory access control (MAC) helps contain this kind of RCE; there’s more in our article on SELinux and AppArmor.

Source