Cyber Resilience

CVE-2026-23760

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 22 January 2026

Published
22 January 2026
Modified
27 January 2026
KEV Added
26 January 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9627 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-23760 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Smartertools Smartermail. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-23760 is an authentication bypass vulnerability (CWE-288) affecting SmarterTools SmarterMail versions prior to build 9511. The issue resides in the password reset API, specifically the force-reset-password endpoint, which allows anonymous requests without verifying the existing password or a reset token for system administrator accounts. This flaw enables attackers to reset admin credentials directly, leading to full administrative compromise of the SmarterMail instance. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

An unauthenticated attacker can exploit this vulnerability remotely by supplying a target system administrator username and a new password to the force-reset-password endpoint. Successful exploitation grants full administrative privileges within SmarterMail, which includes the ability to execute operating system commands through built-in management functionality. This effectively provides administrative access (SYSTEM on Windows or root on Linux) to the underlying host, allowing arbitrary code execution, data exfiltration, persistence, and further lateral movement.

Advisories from vendors and researchers, including SmarterTools release notes, VulnCheck, WatchTowr Labs, and Code White, recommend upgrading to SmarterMail build 9511 or later, where the authentication checks have been implemented to prevent unauthorized resets. No workarounds are detailed beyond patching, emphasizing the need for immediate updates due to the anonymous exploitability.

This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating real-world exploitation by attackers, potentially leveraging decompilers for reverse engineering as noted in some analyses. Security practitioners should prioritize scanning for vulnerable SmarterMail instances and monitor for signs of admin account resets.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An…

more

unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

CWE(s)
KEV Date Added
26 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated authentication bypass in a public-facing webmail application's API endpoint, allowing remote attackers to reset admin credentials and gain full administrative access with OS command execution, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52691Same product: Smartertools Smartermailboth on KEV
CVE-2026-24423Same product: Smartertools Smartermailboth on KEV
CVE-2026-7807Same product: Smartertools Smartermail
CVE-2025-2747Shared CWE-288both on KEV
CVE-2026-24858Shared CWE-288both on KEV
CVE-2024-55591Shared CWE-288both on KEV
CVE-2025-24472Shared CWE-288both on KEV
CVE-2025-2746Shared CWE-288both on KEV
CVE-2026-44574Shared CWE-288
CVE-2025-69101Shared CWE-288

Affected Assets

smartertools
smartermail
≤ 100.0.9511

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass by requiring timely remediation of the specific flaw in the password reset API through patching to SmarterMail build 9511 or later.

prevent

Prohibits permitting sensitive actions without identification or authentication, such as anonymous requests to the force-reset-password endpoint for administrator accounts.

prevent

Ensures secure authenticator management with verification procedures for password resets, preventing unauthorized changes to administrator credentials.

References