A new security flaw in SmarterTools SmarterMail email software has entered active exploitation in the wild just two days after the company released a patch.
Notably, the vulnerability does not yet have a CVE identifier and watchTowr Labs tracks it as WT-2026-0001. SmarterTools patched the issue on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026.
Security researchers describe the issue as an authentication bypass flaw that allows any user to reset the SmarterMail system administrator password through a specially crafted HTTP request sent to the /api/v1/auth/force-reset-password endpoint.
“The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said.
Root Cause
At its core, the issue stems from the SmarterMail.Web.Api.AuthenticationController.ForceResetPassword function. Specifically, the function allows unauthenticated access to the endpoint and relies on a boolean flag named IsSysAdmin to determine how the server processes the request based on the user’s privileges.
When the IsSysAdmin flag is set to true—indicating an administrator—the underlying logic executes the following sequence:
- Obtain the configuration corresponding to the username supplied in the HTTP request
- Create a new system administrator item with the provided password
- Update the administrator account with the new password
In other words, the privileged execution path allows anyone to update an administrator’s password simply by submitting an HTTP request containing a known administrator username and a password of their choosing. As a result, the absence of effective security controls enables attackers to gain elevated access if they know an existing administrator account name.
Authentication Bypass Leads Directly to Remote Code Execution
However, the impact extends beyond account takeover. The authentication bypass also provides a direct route to remote code execution by exposing built-in functionality that allows system administrators to run operating system commands and obtain a SYSTEM-level shell.
Attackers can achieve this by navigating to the Settings page, creating a new volume, and entering an arbitrary command into the Volume Mount Command field, which the host operating system then executes.
According to the cybersecurity company, it decided to publicly disclose the vulnerability after a post appeared on the SmarterTools Community Portal. In the post, a user reported losing access to their administrator account, while logs showed use of the same force-reset-password endpoint to change the password on January 17, 2026—just two days after the patch release.
Patch Reversal and SmarterTools Response
This activity strongly suggests that attackers reverse engineered the patch to reconstruct the vulnerability. Compounding the issue, SmarterMail’s release notes offer little clarity and fail to explicitly describe the security flaws addressed. In fact, one bullet point for Build 9511 merely states: “IMPORTANT: Critical security fixes.”
In response, SmarterTools CEO Tim Uzzanti indicated that the company intentionally limits disclosure details to avoid providing threat actors with actionable intelligence. Nevertheless, he noted that SmarterTools plans to notify customers via email whenever a new CVE is discovered and again when a build becomes available to address it.
“In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references,” Uzzanti said in response to transparency concerns raised by its customers. “We appreciate the feedback that encouraged this change in policy moving forward.”
At present, it remains unclear whether SmarterTools sent such an email to SmarterMail administrators in this case. The Hacker News has contacted SmarterTools for comment and will update the story if a response arrives.
Meanwhile, this development follows closely on the heels of a disclosure by the Cyber Security Agency of Singapore (CSA), which revealed details last month about a maximum-severity SmarterMail vulnerability (CVE-2025-52691, CVSS score: 10.0) that attackers could exploit to achieve remote code execution.
Source: TheHackerNews
Read more at Impreza News
