SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution.
The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0.
“SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method,” according to a description of the flaw in CVE.org.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command. This command will be executed by the vulnerable application.”
watchTowr researchers Sina Kheirkhah and Piotr Bazydlo, CODE WHITE GmbH’s Markus Wulftange, and VulnCheck’s Cale Black have been credited with discovering and reporting the vulnerability.
The security hole has been addressed in version Build 9511, released on January 15, 2026. The same build also patches another critical flaw (CVE-2026-23760, CVSS score: 9.3) that has since come under active exploitation in the wild.
In addition, SmarterTools has shipped fixes to plug a medium-severity security vulnerability (CVE-2026-25067, CVSS score: 6.9) that could allow an attacker to facilitate NTLM relay attacks and unauthorized network authentication.
It has been described as a case of unauthenticated path coercion affecting the background-of-the-day preview endpoint.
“The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation,” VulnCheck noted in an alert.
“On Windows systems, this allows UNC [Universal Naming Convention] paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.”
The vulnerability has been patched in Build 9518, released on January 22, 2026. With two vulnerabilities in SmarterMail coming under active exploitation over the past week, it’s essential that users update to the latest version as soon as possible.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released