"The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method," according to a description of the flaw in CVE.org. "The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command. This command will be executed by the vulnerable application.""
""The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation," VulnCheck noted in an alert. "On Windows systems, this allows UNC [Universal Naming Convention] paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication." The vulnerability has been patched in Build 9518, released on January 22, 2026."
Two critical SmarterMail vulnerabilities were patched, including an unauthenticated remote code execution vulnerability (CVE-2026-24423, CVSS 9.3) in the ConnectToHub API that allowed attackers to point the service to a malicious HTTP server which serves an OS command that the application executes. Build 9511, released January 15, 2026, addressed that RCE and another critical flaw (CVE-2026-23760, CVSS 9.3) under active exploitation. A medium-severity path coercion vulnerability (CVE-2026-25067, CVSS 6.9) allowed base64-decoded input to resolve UNC paths on Windows, triggering outbound SMB authentication attempts and enabling credential coercion and NTLM relay attacks. Build 9518, released January 22, 2026, patched the latter. Researchers credited include Sina Kheirkhah, Piotr Bazydlo, Markus Wulftange, and Cale Black.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]