Home

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

PUBLISHED Reserved 2026-01-22 | Published 2026-01-23 | Updated 2026-02-06 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA Known Exploited Vulnerability

Date added 2026-02-05 | Due date 2026-02-26

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 100.0.9511
affected

Credits

Sina Kheirkhah & Piotr Bazydlo of watchTowr finder

Markus Wulftange of CODE WHITE GmbH finder

Cale Black of VulnCheck finder

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2026-24423 government-resource

www.smartertools.com/smartermail/release-notes/current release-notes patch

code-white.com/public-vulnerability-list/ third-party-advisory

www.vulncheck.com/...nauthenticated-rce-via-connecttohub-api third-party-advisory

cve.org (CVE-2026-24423)

nvd.nist.gov (CVE-2026-24423)

Download JSON