dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

info@thehackernews.com (The Hacker News)
January 30, 2026
SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. “SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API
Total
0
Shares
0
0
0

SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0.

“SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method,” according to a description of the flaw in CVE.org.

“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command. This command will be executed by the vulnerable application.”

watchTowr researchers Sina Kheirkhah and Piotr Bazydlo, CODE WHITE GmbH’s Markus Wulftange, and VulnCheck’s Cale Black have been credited with discovering and reporting the vulnerability.

The security hole has been addressed in version Build 9511, released on January 15, 2026. The same build also patches another critical flaw (CVE-2026-23760, CVSS score: 9.3) that has since come under active exploitation in the wild.

Cybersecurity

In addition, SmarterTools has shipped fixes to plug a medium-severity security vulnerability (CVE-2026-25067, CVSS score: 6.9) that could allow an attacker to facilitate NTLM relay attacks and unauthorized network authentication.

It has been described as a case of unauthenticated path coercion affecting the background-of-the-day preview endpoint.

“The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation,” VulnCheck noted in an alert.

“On Windows systems, this allows UNC [Universal Naming Convention] paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.”

The vulnerability has been patched in Build 9518, released on January 22, 2026. With two vulnerabilities in SmarterMail coming under active exploitation over the past week, it’s essential that users update to the latest version as soon as possible.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

January 29, 2026
Next Post

Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup

January 30, 2026
Related Posts
2 min

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Cisco has released fresh patches to address what it described as a "critical" security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the
info@thehackernews.com (The Hacker News)
January 21, 2026
Read More
10 min

Badges, Bytes and Blackmail

Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape? Introduction: One view on the scattered fight against cybercrime The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly
info@thehackernews.com (The Hacker News)
January 30, 2026
Read More
3 min

Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware

Cybersecurity researchers have discovered an ongoing campaign that's targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign. The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat
info@thehackernews.com (The Hacker News)
January 26, 2026
Read More