CVE-2026-24423

CVE-2026-24423 is a critical-severity vulnerability in Smartertools Smartermail with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-02-05). The underlying weakness is classified as CWE-306.

Key facts

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

SmarterMail ConnectToHub API Unauthenticated RCE (CVE-2026-24423)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2026-24423
Product SmarterTools SmarterMail
CWE CWE-306: Missing Authentication for Critical Function
CVSS 3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS 4.0 9.3 Critical
EPSS 0.87693 (99.7th percentile)
KEV Yes — added 2026-02-05
EU Exploited Yes — since 2026-02-05

Summary

SmarterMail's ConnectToHub API method, intended to facilitate inter-server communication, fails to require authentication before executing OS-level commands retrieved from a user-supplied HTTP endpoint. An unauthenticated remote attacker can point SmarterMail at a malicious server that serves an arbitrary OS command, which the vulnerable application then executes with its own privileges.

Background

SmarterMail is a widely deployed Windows-based email server and collaboration platform. The ConnectToHub feature is designed to connect a SmarterMail instance to a central hub server for unified administration. The vulnerability resides in the SystemAdminSettingsController.ConnectToHub endpoint, which was exposed without adequate access controls.

Root Cause — CWE-306

The flaw is a classic instance of CWE-306: Missing Authentication for Critical Function. The ConnectToHub method accepts a remote URL and subsequently fetches and executes shell commands from that URL without first validating that the caller possesses administrative privileges. Because the endpoint is reachable without authentication, any network-accessible SmarterMail instance can be coerced into downloading and executing attacker-controlled payloads.

Impact

With a CVSS 3.1 score of 9.8 and a CVSS 4.0 score of 9.3, this vulnerability is rated Critical. The metrics reflect:

  • Attack Vector: Network — Exploitable remotely without adjacency.
  • Attack Complexity: Low — No special conditions or race windows required.
  • Privileges Required: None — Fully unauthenticated.
  • User Interaction: None — Fully automated, no victim clicks required.
  • Confidentiality, Integrity, Availability: All High — Successful exploitation grants complete control over the host.

Exploitation Walkthrough

⚠️ Ethics & Legal Notice — The description below is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.

An attacker proceeds as follows at a high level:

  1. Identify a target SmarterMail instance reachable over the internet (commonly on TCP ports 443 or 9998).
  2. Host a malicious HTTP server that responds to a specific request with an OS command payload (e.g., PowerShell or cmd.exe directives).
  3. Invoke the ConnectToHub API on the target, supplying the attacker's server URL as the hub endpoint.
  4. The SmarterMail server connects back to the attacker-controlled server, downloads the payload, and executes it locally.
  5. Post-exploitation may include deploying persistent access mechanisms, exfiltrating mail stores, or lateral movement within the victim network.

Defenders should treat any SmarterMail instance older than build 9511 as potentially compromised if it has been internet-facing since January 2026.

Affected and Patched Versions

Status Versions
Affected SmarterMail versions prior to build 9511
Patched SmarterMail build 9511 and later

Administrators should consult the SmarterMail release notes to confirm the exact build number installed.

Remediation

  1. Upgrade immediately to SmarterMail build 9511 or the latest available release. This is a known-exploited vulnerability with a very high EPSS score.
  2. Restrict network exposure — SmarterMail administrative interfaces should not be exposed directly to the internet. Place them behind a VPN, bastion host, or IP-restricted firewall rules.
  3. Compensating controls if immediate patching is not possible:
    • Block or heavily rate-limit access to the SystemAdminSettingsController endpoints at the reverse-proxy or WAF layer.
    • Enable robust outbound filtering so the SmarterMail server cannot initiate arbitrary HTTP connections to untrusted hosts.
    • Review and restrict the service account privileges under which SmarterMail runs; avoid LocalSystem where feasible.

Detection

  • Network: Monitor for unexpected outbound HTTP/HTTPS connections originating from SmarterMail servers to unknown external IPs, especially following requests to /api/v1/settings/system/connect-to-hub or similar administrative paths.
  • Endpoint: Look for anomalous process spawning (e.g., powershell.exe, cmd.exe, or wscript.exe) from the SmarterMail worker process.
  • Logs: Correlate web server logs for unauthenticated POST or GET requests to the ConnectToHub endpoint with subsequent outbound connections.
  • Threat Intelligence: Leverage IOCs published by VulnCheck and CISA to hunt for known attacker infrastructure.

Assessment

The combination of an EPSS score of 0.87693 (99.7th percentile) and confirmed Known Exploited Vulnerability (KEV) status means this flaw is not theoretical—active exploitation has been observed in the wild since early February 2026. Organizations running exposed SmarterMail instances should treat this as an active incident until patched and verified clean.

Key takeaways:

  1. Authentication is non-negotiable on administrative endpoints. Even internal APIs that seem unlikely to be reached by outsiders must enforce strong authentication.
  2. Remote command execution should never be a side effect of a configuration API. The ability to pull and execute code from an arbitrary URL is an inherently dangerous design that demands multiple layers of authorization and allow-listing.

References

Frequently asked questions

What is CVE-2026-24423?
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
How severe is CVE-2026-24423?
CVE-2026-24423 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-24423 being actively exploited?
Yes. CVE-2026-24423 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-02-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2026-24423?
CVE-2026-24423 affects Smartertools Smartermail. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-24423?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2026-24423 have an EU (EUVD) identifier?
Yes. CVE-2026-24423 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4273. It is also flagged as exploited in the EUVD (since 2026-02-05).
When was CVE-2026-24423 published?
CVE-2026-24423 was published on 2026-01-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Smartertools Smartermail

All CVEs affecting Smartertools Smartermail →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →