CVE-2026-24423
CVE-2026-24423 is a critical-severity vulnerability in Smartertools Smartermail with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-02-05). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-02-05)
- EU (EUVD) id: EUVD-2026-4273
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-02-05)
- Weakness: CWE-306
- Affected product: Smartertools Smartermail
- Published:
- Last modified:
Description
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
SmarterMail ConnectToHub API Unauthenticated RCE (CVE-2026-24423)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2026-24423 |
| Product | SmarterTools SmarterMail |
| CWE | CWE-306: Missing Authentication for Critical Function |
| CVSS 3.1 | 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CVSS 4.0 | 9.3 Critical |
| EPSS | 0.87693 (99.7th percentile) |
| KEV | Yes — added 2026-02-05 |
| EU Exploited | Yes — since 2026-02-05 |
Summary
SmarterMail's ConnectToHub API method, intended to facilitate inter-server communication, fails to require authentication before executing OS-level commands retrieved from a user-supplied HTTP endpoint. An unauthenticated remote attacker can point SmarterMail at a malicious server that serves an arbitrary OS command, which the vulnerable application then executes with its own privileges.
Background
SmarterMail is a widely deployed Windows-based email server and collaboration platform. The ConnectToHub feature is designed to connect a SmarterMail instance to a central hub server for unified administration. The vulnerability resides in the SystemAdminSettingsController.ConnectToHub endpoint, which was exposed without adequate access controls.
Root Cause — CWE-306
The flaw is a classic instance of CWE-306: Missing Authentication for Critical Function. The ConnectToHub method accepts a remote URL and subsequently fetches and executes shell commands from that URL without first validating that the caller possesses administrative privileges. Because the endpoint is reachable without authentication, any network-accessible SmarterMail instance can be coerced into downloading and executing attacker-controlled payloads.
Impact
With a CVSS 3.1 score of 9.8 and a CVSS 4.0 score of 9.3, this vulnerability is rated Critical. The metrics reflect:
- Attack Vector: Network — Exploitable remotely without adjacency.
- Attack Complexity: Low — No special conditions or race windows required.
- Privileges Required: None — Fully unauthenticated.
- User Interaction: None — Fully automated, no victim clicks required.
- Confidentiality, Integrity, Availability: All High — Successful exploitation grants complete control over the host.
Exploitation Walkthrough
⚠️ Ethics & Legal Notice — The description below is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.
An attacker proceeds as follows at a high level:
- Identify a target SmarterMail instance reachable over the internet (commonly on TCP ports 443 or 9998).
- Host a malicious HTTP server that responds to a specific request with an OS command payload (e.g., PowerShell or
cmd.exedirectives). - Invoke the
ConnectToHubAPI on the target, supplying the attacker's server URL as the hub endpoint. - The SmarterMail server connects back to the attacker-controlled server, downloads the payload, and executes it locally.
- Post-exploitation may include deploying persistent access mechanisms, exfiltrating mail stores, or lateral movement within the victim network.
Defenders should treat any SmarterMail instance older than build 9511 as potentially compromised if it has been internet-facing since January 2026.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | SmarterMail versions prior to build 9511 |
| Patched | SmarterMail build 9511 and later |
Administrators should consult the SmarterMail release notes to confirm the exact build number installed.
Remediation
- Upgrade immediately to SmarterMail build 9511 or the latest available release. This is a known-exploited vulnerability with a very high EPSS score.
- Restrict network exposure — SmarterMail administrative interfaces should not be exposed directly to the internet. Place them behind a VPN, bastion host, or IP-restricted firewall rules.
- Compensating controls if immediate patching is not possible:
- Block or heavily rate-limit access to the
SystemAdminSettingsControllerendpoints at the reverse-proxy or WAF layer. - Enable robust outbound filtering so the SmarterMail server cannot initiate arbitrary HTTP connections to untrusted hosts.
- Review and restrict the service account privileges under which SmarterMail runs; avoid LocalSystem where feasible.
- Block or heavily rate-limit access to the
Detection
- Network: Monitor for unexpected outbound HTTP/HTTPS connections originating from SmarterMail servers to unknown external IPs, especially following requests to
/api/v1/settings/system/connect-to-hubor similar administrative paths. - Endpoint: Look for anomalous process spawning (e.g.,
powershell.exe,cmd.exe, orwscript.exe) from the SmarterMail worker process. - Logs: Correlate web server logs for unauthenticated
POSTorGETrequests to theConnectToHubendpoint with subsequent outbound connections. - Threat Intelligence: Leverage IOCs published by VulnCheck and CISA to hunt for known attacker infrastructure.
Assessment
The combination of an EPSS score of 0.87693 (99.7th percentile) and confirmed Known Exploited Vulnerability (KEV) status means this flaw is not theoretical—active exploitation has been observed in the wild since early February 2026. Organizations running exposed SmarterMail instances should treat this as an active incident until patched and verified clean.
Key takeaways:
- Authentication is non-negotiable on administrative endpoints. Even internal APIs that seem unlikely to be reached by outsiders must enforce strong authentication.
- Remote command execution should never be a side effect of a configuration API. The ability to pull and execute code from an arbitrary URL is an inherently dangerous design that demands multiple layers of authorization and allow-listing.
References
- https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
- https://www.smartertools.com/smartermail/release-notes/current
- https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423
Frequently asked questions
- What is CVE-2026-24423?
- SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
- How severe is CVE-2026-24423?
- CVE-2026-24423 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-24423 being actively exploited?
- Yes. CVE-2026-24423 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-02-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-24423?
- CVE-2026-24423 affects Smartertools Smartermail. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-24423?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-24423 have an EU (EUVD) identifier?
- Yes. CVE-2026-24423 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4273. It is also flagged as exploited in the EUVD (since 2026-02-05).
- When was CVE-2026-24423 published?
- CVE-2026-24423 was published on 2026-01-23 and last updated on 2026-06-17.
References
- https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
- https://www.smartertools.com/smartermail/release-notes/current
- https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423
Affected products (1)
- cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*
More vulnerabilities in Smartertools Smartermail
- CVE-2025-52691 — Critical (CVSS 10.0): Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any…
- CVE-2026-23760 — Critical (CVSS 9.8): SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password…
- CVE-2021-32234 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
- CVE-2019-7214 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker…
- CVE-2019-7212 — High (CVSS 8.2): SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access…
- CVE-2026-7807 — High (CVSS 8.1): SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the…
All CVEs affecting Smartertools Smartermail →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →