CVE-2026-24423

What is SmarterMail?

SmarterTools SmarterMail is a self-hosted enterprise email and collaboration server platform for Windows and Linux. It provides SMTP, IMAP, POP3, webmail, calendaring, and task management for organizations that run their own mail infrastructure rather than relying on cloud providers. SmarterMail is widely deployed by web hosting companies, ISPs, managed service providers, and organizations requiring on-premises email control. Because it is an internet-facing server running with high privileges — typically SYSTEM on Windows or root on Linux — and holds access to all organizational mailboxes and communications, a compromised SmarterMail instance is a high-value target for both espionage and ransomware operations.

CVE-2026-24423 is the second of two critical zero-authentication vulnerabilities in SmarterMail patched in Build 9511 (January 15, 2026); the companion vulnerability CVE-2026-23760 affects the same product and was exploited in the same campaigns.

Overview

CVE-2026-24423 is a CWE-306 (Missing Authentication for Critical Function) vulnerability in SmarterMail's ConnectToHub API method. The /api/v1/settings/sysadmin/connect-to-hub endpoint requires no authentication and allows any unauthenticated caller to instruct the SmarterMail server to establish a connection to an arbitrary attacker-controlled HTTP server. When the attacker's server responds with a specially crafted JSON payload containing a CommandMount parameter, the SmarterMail process executes the supplied OS command with its full privilege level — SYSTEM on Windows, root on Linux.

This is a server-side request forgery (SSRF) escalated to remote code execution: the victim server makes an outbound connection to the attacker, receives instructions, and executes them — all triggered by a single unauthenticated POST from the attacker to the SmarterMail instance. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on February 5, 2026, following confirmation of active ransomware exploitation. It is flagged for ransomware use.

Affected Versions

Build 9518 (January 22, 2026) includes additional security hardening beyond the minimum patch in Build 9511 and is the vendor-recommended version.

Technical Details

The ConnectToHub API endpoint (/api/v1/settings/sysadmin/connect-to-hub) is classified as a system administrator function for configuring hub server connectivity. The flaw is that the endpoint performs no authentication check — it accepts and processes POST requests from any remote caller without requiring a session token, API key, or credential of any kind.

The exploit chain works as follows:

1. Attacker sends a POST to /api/v1/settings/sysadmin/connect-to-hub on the target SmarterMail instance, supplying the URL of an attacker-controlled server.
2. SmarterMail makes an outbound connection to the attacker's server at a predefined secondary endpoint, as part of the "hub registration" flow.
3. The attacker's server responds with a JSON payload containing a CommandMount parameter set to the desired OS command.
4. SmarterMail executes the command locally, running it in the context of the SmarterMail service process (SYSTEM on Windows, root on Linux).

No prior authentication or existing foothold is required. The attack originates entirely from the attacker — the SmarterMail server is instructed to call home and receive its own payload. This design makes the vulnerability exploitable even when SmarterMail's web interface is behind a NAT or firewall, as long as the SmarterMail server can reach the attacker's server over the internet.

In observed campaigns, CVE-2026-24423 is used in conjunction with CVE-2026-23760: attackers first use the admin password reset flaw to obtain authenticated access, then leverage ConnectToHub to escalate to OS-level code execution, or in some cases use ConnectToHub directly as a standalone RCE path.

Discovery

CVE-2026-24423 was independently discovered and reported by four researchers: Sina Kheirkhah and Piotr Bazydlo of watchTowr Labs, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck. The CVE was published January 23, 2026, eight days after SmarterTools released the initial patch.

Exploitation Context

Active exploitation was confirmed in ransomware campaigns from at least January 17, 2026, two days after the patch release. The most significant confirmed incident is the breach of SmarterTools' own infrastructure on January 29, 2026, attributed to Warlock ransomware, also tracked as Gold Salem (Sophos) and Storm-2603 (Microsoft). Warlock is described as a threat actor that blends state-sponsored espionage methods with cybercrime tactics, with a focus on enterprise software vendors and hosting providers. SmarterTools publicly confirmed the breach on February 9, 2026.

CISA added CVE-2026-24423 to the KEV catalog on February 5, 2026 — two weeks after the companion CVE-2026-23760 was added on January 26, 2026. Both are flagged as associated with ransomware use. The two CVEs are closely related in exploitation: attackers frequently chain them to achieve authenticated admin access followed by OS command execution on the same target.

Remediation

1. Patch: Upgrade SmarterMail to Build 9518 or later immediately. Build 9511 is the minimum fix, but Build 9518 includes additional security hardening and is the vendor-recommended version.
2. Firewall / access restriction: Block unauthenticated external access to the SmarterMail administrative API. If SmarterMail does not need to be publicly accessible for end users, restrict port 443/80 to known IP ranges. At a minimum, ensure the SmarterMail admin interface is not reachable from untrusted networks.
3. Egress filtering: The ConnectToHub attack requires the SmarterMail server to make outbound HTTP connections to attacker infrastructure. Consider restricting outbound HTTP/HTTPS from the SmarterMail service to known legitimate hubs and update servers to limit SSRF exploitation paths.
4. Log review: Audit web server access logs for POST requests to /api/v1/settings/sysadmin/connect-to-hub from any external source. Review application logs for unexpected outbound HTTP connections initiated by the SmarterMail process. Also check for POST requests to /api/v1/auth/force-reset-password with IsSysAdmin=true (CVE-2026-23760), which is commonly paired in the same attack. Any unrecognized system administrator accounts or unexpected configuration changes should be treated as indicators of compromise.