Another entry joins a pair of prior SmarterMail flaws listed in the KEV database since January 26. One was tagged CVE-2025-52691 - marked by unchecked uploads of hazardous files. The second, assigned CVE-2026-23760, let attackers skip login checks entirely. Analysis came first from experts at watchTowr, who unpacked how each could be triggered. Once those specifics emerged, several security teams observed active attacks; the login flaw saw more frequent abuse. Although both were dissected publicly, it was the broken verification that drew wider misuse.
A security issue labeled CVE-2026-24423 arises because a key part of SmarterMail - the ConnectToHub API - lacks proper access checks. Versions before v100.0.9511 are exposed, letting outsiders run harmful code remotely. Instead of requiring login details, hackers exploit it by submitting a modified POST message. This leads to direct command control on the target machine through intentional input manipulation.
Separate findings came from teams at watchTowr, CODE WHITE GmbH, and VulnCheck. As noted by Cale Black of VulnCheck, the affected endpoint skips any login checks - opening a way to set up server directory links remotely. Because that setup pulls instructions directly from an outside machine under attacker influence, control is effectively handed over. Those instructions appear as support routines inside the system. Once SmarterMail reads them, they run unchecked on whatever platform hosts the software.
Starting at the ConnectToHub endpoint, the process handles a remote address sent via one particular parameter. Afterward, communication initiates from the SmarterMail server toward a machine controlled by the attacker. That system replies - not with ordinary data - but with settings containing command inputs meant to run. Provided minimal checks are satisfied, execution follows without further barriers. Control over the compromised environment expands widely under these conditions.
By February 26, 2026, U.S. federal civilian agencies must fix the vulnerability - this stems from ongoing attacks involving ransomware. Though only binding for federal bodies, its listing in CISA’s KEV catalog hints at wider exposure across any organization using affected SmarterMail versions. Not just government systems face potential harm; real-world misuse raises stakes beyond official mandates.
Right now, updating to the newest SmarterMail release is a top priority, according to analysts watching threats closely. Instead of waiting, teams managing large systems should examine log data - especially activity tied to the open ConnectToHub interface, since probes might show up as odd patterns in API traffic. What stands out is how quickly multiple flaws in SmarterMail entered official exploit databases, signaling that delays in patching could lead to real breaches. Because of this, those overseeing network access must act fast while rethinking how exposed their mail platforms really are.
