Data Security, Email security, Identity, Vulnerability Management, Patch/Configuration Management, Threat Intelligence

SmarterMail flaw under active attack post-patch

AI and Email

A critical vulnerability in SmarterTools SmarterMail, identified as WT-2026-0001, is currently being exploited in the wild. This flaw, which allows for an authentication bypass, was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by watchTowr Labs. Despite the patch, attackers are actively targeting unpatched systems, highlighting the urgency for immediate updates, according to a recent report by Security Affairs.

The vulnerability resides in SmarterMail's APT unauthenticated ForceResetPassword API endpoint. Attackers can exploit this by sending a specially crafted request that manipulates an IsSysAdmin flag. By setting this flag to true, an attacker can bypass authentication and reset the administrator password without needing the old password or any second-factor verification. This initial access can then be escalated to achieve remote code execution by abusing built-in administrator features, such as Volume Mounts, to run arbitrary OS commands and gain SYSTEM-level control. A proof-of-concept demonstrating this SYSTEM-level shell access has been developed.

The active exploitation of WT-2026-0001, even after a patch release, underscores a persistent threat landscape where attackers actively monitor for and exploit newly disclosed vulnerabilities. This incident emphasizes the critical importance of prompt patching and diligent security practices for businesses relying on email server software. The lack of an assigned CVE number at the time of active exploitation also highlights potential delays in broader security advisories and threat intelligence sharing.

Source: Security Affairs

You can skip this ad in 5 seconds