What happened
On 15 January 2026, SmarterTools released Build 9511 of SmarterMail, its popular mail server for Windows, fixing a critical authentication bypass vulnerability tracked as CVE-2026-23760. Just two days later, on 17 January, attackers had already analysed the patch, reverse-engineered the flaw and begun actively exploiting servers that had not yet been updated.
The NIST National Vulnerability Database (NVD) assigned it a CVSS 3.1 score of 9.8 (critical) and classified it as CWE-288: authentication bypass using an alternate path or channel.
What the vulnerability is
The problem lies in the force-reset-password API endpoint. According to the official NVD description, this endpoint permits anonymous requests and fails to verify either the existing password or a reset token when resetting system administrator accounts.
In practice, an attacker can send a crafted HTTP request that includes the IsSysAdmin property set to true. The server processes the request and resets the system administrator’s password without asking for prior credentials. From that point on, the attacker controls the most privileged account on the mail server.
Who is affected and severity
The vulnerability affects all SmarterMail versions prior to Build 9511. Because SmarterMail is a widely deployed mail server in Windows environments at SMBs and hosting providers, the impact is broad: at the time of the advisory, more than 6,000 SmarterMail servers were exposed to automated admin-account hijacking.
The severity is at the top of the scale because the flaw is:
- Remotely exploitable without prior authentication (AV:N/PR:N).
- Low complexity (AC:L), which makes it easy to automate at scale.
- High impact on confidentiality, integrity and availability.
Once the administrator account is compromised, the attacker can read all hosted mail, create or delete mailboxes and, through the built-in management tools, run operating system commands on the underlying host, opening the door to a full system compromise.
Mitigation and patch
The top priority is to update to Build 9511 or later without delay. Since active exploitation is already happening in the wild, any unpatched server should be treated as an immediate target.
Additional recommendations while applying the patch or verifying system state:
- Restrict access to the administration interface via firewall or VPN, limiting it to trusted IPs.
- Audit logs for requests to the
force-reset-passwordendpoint and for unexpected administrator password resets. - Rotate administrator credentials after updating, assuming the server may have been compromised.
- Review recently created accounts, forwarding rules and connectors that could indicate attacker persistence.
This case illustrates an increasingly common pattern: attackers analyse patches as soon as they are released and rebuild the exploit within hours or days. The window between a fix being published and being exploited keeps shrinking, so fast patching is no longer just a best practice but an operational emergency.
Source
- The Hacker News - SmarterMail Auth Bypass Exploited in the Wild: https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html
- NVD - CVE-2026-23760: https://nvd.nist.gov/vuln/detail/CVE-2026-23760