Over six thousand SmarterMail systems sit reachable online, possibly at risk due to a serious login vulnerability, found by the nonprofit cybersecurity group Shadowserver. Attention grows as hackers increasingly aim for outdated corporate mail setups left unprotected.
On January 8, watchTowr informed SmarterTools about the security weakness. Released one week later, the patch arrived before an official CVE number appeared. Later named CVE-2026-23760, its severity earned a top-tier rating because of how deeply intruders could penetrate systems. Critical access capabilities made this bug especially dangerous.
A security notice logged in the NIST National Vulnerability Database points to an issue in earlier releases of SmarterMail - versions before build 9511. This flaw sits within the password reset API, where access control does not function properly. Instead of blocking unknown users, the force-reset-password feature accepts input without requiring proof of identity. Missing checks on both token validity and current login details create an open door. Without needing prior access, threat actors may trigger resets for admin accounts using only known usernames. Such exploitation grants complete takeover of affected systems.
Attackers can take over admin accounts by abusing this weakness, gaining full access to vulnerable SmarterMail systems through remote code execution. Knowing just one administrator username is enough, according to watchTowr, making it much easier to carry out such attacks.
More than six thousand SmarterMail servers are now under watch by Shadowserver, each marked as probably exposed. Across North America, over four thousand two hundred sit in this group. Almost a thousand others appear in Asia. Widespread risk emerges where patches remain unused. Organizations slow to update face higher chances of compromise.
Scans showing over 8,550 vulnerable SmarterMail systems came to light through data provided by Macnica analyst Yutaka Sejiyama, reported to BleepingComputer. Though attackers continue targeting the flaw, response levels across networks vary widely - this uneven pace only adds weight to ongoing worries about delayed fixes.
On January 21, watchTowr noted it had detected active exploitation attempts. The next day, confirmation came through Huntress, a cybersecurity company spotting similar incidents. Rather than isolated cases, what they saw pointed to broad, automated attacks aimed at exposed servers.
Early warnings prompted CISA to list CVE-2026-23760 in its active threat database, requiring federal bodies across the U.S. to fix it before February 16. Because flaws like this often become entry points, security teams face rising pressure - especially when hostile groups exploit them quickly. Government systems, along with corporate networks, stand at higher risk once these weaknesses go public.
On its own, Shadowserver noted close to 800,000 IP addresses showing open Telnet signatures during incidents tied to a serious authentication loophole in GNU Inetutils' telnetd - highlighting how outdated systems still connected to the web can widen security exposure.
