CVE-2026-23760

What is SmarterMail?

SmarterTools SmarterMail is a self-hosted enterprise email and collaboration server platform for Windows and Linux. It provides SMTP, IMAP, POP3, webmail, calendaring, and task management for organizations that run their own mail infrastructure rather than using cloud services. SmarterMail is widely used by web hosting companies, internet service providers, managed service providers, and businesses that require on-premises email control. Because it runs as an internet-facing mail server with direct access to all organizational email and often with SYSTEM-level privileges on the host, a compromised SmarterMail instance grants an attacker access to every mailbox, all email content and attachments, and typically full operating system control over the server.

SmarterTools estimated over 10,000 publicly reachable SmarterMail instances existed at the time exploitation began in January 2026.

Overview

CVE-2026-23760 is a CWE-288 (Authentication Bypass Using an Alternate Path or Channel) vulnerability in SmarterMail's password reset API. The /api/v1/auth/force-reset-password endpoint is decorated with AllowAnonymous = true, permitting unauthenticated requests. When the request body sets IsSysAdmin=true, the server skips all validation of the existing password — the OldPassword parameter is accepted but never checked — and immediately resets the target system administrator account to the attacker-supplied password. This allows any remote, unauthenticated attacker who knows an administrator username (or can enumerate one) to take full control of the SmarterMail instance in a single HTTP request.

Exploitation began within approximately two days of SmarterTools publishing the patch on January 15, 2026. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on January 26, 2026. The Warlock ransomware group (also tracked as Gold Salem / Storm-2603) exploited this CVE and the companion CVE-2026-24423 in a breach of SmarterTools' own infrastructure on January 29, 2026.

This CVE is flagged for ransomware use in the CISA KEV catalog.

Affected Versions

Build 9518 (released January 22, 2026) includes additional security hardening beyond the minimum fix in Build 9511 and is the recommended target version.

Technical Details

The vulnerability exists in SmarterMail's force-reset-password API endpoint. The endpoint implements two distinct code paths based on the value of the IsSysAdmin Boolean in the request body:

• Regular user path (IsSysAdmin=false): The existing password is validated before the reset is permitted — this path functions correctly.
• System administrator path (IsSysAdmin=true): All credential validation is skipped. The OldPassword value is accepted in the request but never evaluated. The new password is applied immediately.

A minimal exploit request looks like:

POST /api/v1/auth/force-reset-password HTTP/1.1
Host: <target>
Content-Type: application/json

{
  "IsSysAdmin": true,
  "Username": "admin",
  "OldPassword": "anything",
  "NewPassword": "NewPass123!",
  "ConfirmPassword": "NewPass123!"
}

Once authenticated with the new credentials, an attacker can leverage SmarterMail's Volume Mounts administration feature to execute arbitrary operating system commands. On Windows hosts this results in SYSTEM-level code execution; on Linux hosts it produces root-level execution. The full compromise chain — from unauthenticated network access to OS-level RCE — requires only two HTTP requests and no specialized tooling.

Discovery

The vulnerability was identified by researchers at watchTowr Labs (Sina Kheirkhah and Piotr Bazydlo), who also published a proof-of-concept. CYFIRMA Research conducted follow-on analysis. The CVE was assigned and published on January 22, 2026, one week after SmarterTools released the initial patch (Build 9511) on January 15, 2026. This narrow window between patch and publication — combined with the trivial exploitability — led to mass exploitation within days.

Exploitation Context

Exploitation was observed in the wild as early as January 17, 2026, approximately two days after the patch was available and before most organizations had applied it. By late January 2026, over 10,000 SmarterMail instances were estimated to be publicly reachable and unpatched.

The most significant confirmed incident was the breach of SmarterTools itself on January 29, 2026, attributed to Warlock ransomware (also tracked as Gold Salem by Sophos and Storm-2603 by Microsoft). Warlock is characterized as a threat actor that blends state-sponsored espionage techniques with cybercrime operations and specifically targets enterprise software vendors and hosting providers.

CVE-2026-23760 is typically exploited alongside CVE-2026-24423 (ConnectToHub unauthenticated RCE, also in SmarterMail) in the same campaign. This CVE is flagged as associated with ransomware use in the CISA KEV catalog.

Remediation

1. Patch: Upgrade SmarterMail to Build 9518 or later immediately. Build 9511 is the minimum fix for CVE-2026-23760, but Build 9518 includes further security improvements and is the vendor-recommended version.
2. Firewall / access restriction: Restrict access to the SmarterMail web interface (typically port 443 or 80) to trusted IP ranges if the server does not need to be publicly accessible. The administrative interface in particular should never be exposed to the internet without additional access controls.
3. Credential audit: Review SmarterMail system administrator accounts for any unexpected password changes, unfamiliar usernames, or accounts added after January 15, 2026. Any unrecognized admin accounts should be treated as indicators of compromise.
4. Log review: Audit web server access logs for POST requests to /api/v1/auth/force-reset-password with a IsSysAdmin=true body, or for any requests to /api/v1/settings/sysadmin/connect-to-hub (the CVE-2026-24423 endpoint). Check for unexpected outbound HTTP connections from the SmarterMail service process, which could indicate SSRF exploitation via ConnectToHub.