CISA Warns of Critical SmarterMail Vulnerability Exploited in Ransomware Attacks

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding ransomware actors exploiting a critical vulnerability in SmarterMail, identified as CVE-2026-24423. This flaw in SmarterMail enables remote code execution without the need for authentication.

SmarterMail is a self-hosted email server and collaboration platform designed for Windows users by SmarterTools. It offers a range of services including SMTP/IMAP/POP mail services, webmail, calendars, contacts, and basic groupware functionality. The platform is commonly utilized by managed service providers (MSPs), small to medium-sized businesses, and hosting companies around the world, with approximately 15 million users across 120 countries according to SmarterTools.

Exploiting CVE-2026-24423 in SmarterMail

The vulnerability in question impacts versions of SmarterMail prior to build 9511. Exploiting this flaw could result in remote code execution (RCE) through the ConnectToHub API. Security researchers from watchTowr, CODE WHITE, and VulnCheck cybersecurity companies responsibly disclosed the vulnerability to SmarterTools, prompting the vendor to release a fix in SmarterMail Build 9511 on January 15.

CISA has recognized the severity of the situation by adding the CVE-2026-24423 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The agency has identified the exploit as actively used in ransomware campaigns.

The agency states, “SmarterTools SmarterMail contains a missing authentication for a critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server that serves the malicious OS command and could lead to command execution.”

As a result, CISA has issued guidance for federal agencies and entities obligated under BOD 22-01 to either apply the security updates and recommended mitigations or discontinue the use of SmarterMail by February 26, 2026.

Additional Security Concerns and Recommendations

Following the patch for CVE-2026-24423, watchTowr researchers discovered another authentication bypass flaw internally designated as WT-2026-0001. This flaw allows the resetting of the administrator password without verification and has been exploited by threat actors shortly after the patch release. To address these security issues, SmarterMail has released additional critical security patches, with the latest build being 9526, made available on January 30.

Modern IT infrastructure moves faster than manual workflows can handle.

Discover how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows using tools you already have in the new Tines guide.

Get the guide