SmarterTools has rapidly addressed a critical security vulnerability in its SmarterMail email software, identified as CVE-2026-24423. This flaw, carrying a high CVSS score of 9.3 out of 10.0, presented a significant risk of unauthenticated remote code execution. The company released an update, Build 9511, on January 15, 2026, to patch this and another critical vulnerability that was reportedly being actively exploited in the wild.
The critical remote code execution vulnerability specifically impacted versions of SmarterMail prior to build 9511. According to a description on CVE.org, an attacker could manipulate the SmarterMail ConnectToHub API method. By directing SmarterMail to a malicious HTTP server hosting a compromised operating system command, the vulnerable application could be tricked into executing this command. This discovery is attributed to researchers Sina Kheirkhah and Piotr Bazydlo from watchTowr, Markus Wulftange from CODE WHITE GmbH, and Cale Black from VulnCheck.
SmarterMail Security Vulnerabilities and Patches
This latest patch addresses not only the critical code execution flaw but also another vulnerability, CVE-2026-23760, which also had a CVSS score of 9.3 and had already seen active exploitation. The swift release of Build 9511 on January 15, 2026, underscores the severity of these security issues and SmarterTools’ commitment to addressing them promptly.
In addition to these critical issues, SmarterTools has also released fixes for a medium-severity security vulnerability. This flaw, designated CVE-2026-25067 with a CVSS score of 6.9, could potentially facilitate NTLM relay attacks and unauthorized network authentication. The vulnerability involves an unauthenticated path coercion issue affecting the background-of-the-day preview endpoint.
NTLM Relay Attacks and Path Coercion
VulnCheck indicated in an advisory that the SmarterMail application improperly handled user-supplied input. The software would base64-decode this input and utilize it as a filesystem path without adequate validation. On Windows systems, this absence of validation allows for the resolution of Universal Naming Convention (UNC) paths. Consequently, the SmarterMail service could be compelled to initiate outbound SMB authentication attempts to hosts controlled by attackers.
The implications of CVE-2026-25067 are significant, as it opens the door for credential coercion, NTLM relay attacks, and unauthorized network authentication. These types of attacks can lead to a compromise of user credentials and unauthorized access to sensitive network resources. This vulnerability was patched in Build 9518, which was released on January 22, 2026.
With two vulnerabilities in SmarterMail experiencing active exploitation within a short timeframe, it is imperative for all users to update their software to the latest available versions as soon as possible. Proactive patching is crucial for maintaining a robust email security posture and mitigating the risks associated with known exploits.