Cyber Resilience

CVE-2026-24423

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 23 January 2026

Published
23 January 2026
Modified
06 February 2026
KEV Added
05 February 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8769 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-24423 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Smartertools Smartermail. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24423 is an unauthenticated remote code execution vulnerability in SmarterTools SmarterMail versions prior to build 9511. The issue affects the ConnectToHub API method, stemming from CWE-306 (Missing Authentication for Critical Function). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

An unauthenticated remote attacker can exploit the vulnerability by tricking the SmarterMail instance into connecting to a malicious HTTP server controlled by the attacker. The server then delivers a malicious OS command, which the vulnerable application executes with the privileges of the SmarterMail process, enabling full server compromise including data exfiltration, modification, or disruption.

Advisories from VulnCheck and Code White detail the flaw, while SmarterTools release notes address it in build 9511 and later, recommending immediate upgrades for mitigation. The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, underscoring the need for urgent patching.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be…

more

executed by the vulnerable application.

CWE(s)
KEV Date Added
05 February 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated RCE in a public-facing webmail application (SmarterMail), directly enabling exploitation of public-facing applications via the ConnectToHub API.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23760Same product: Smartertools Smartermailboth on KEV
CVE-2025-52691Same product: Smartertools Smartermailboth on KEV
CVE-2026-7807Same product: Smartertools Smartermail
CVE-2025-61757Shared CWE-306both on KEV
CVE-2026-41940Shared CWE-306both on KEV
CVE-2026-39987Shared CWE-306both on KEV
CVE-2025-0108Shared CWE-306both on KEV
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-68715Shared CWE-306

Affected Assets

smartertools
smartermail
≤ 100.0.9511

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patching to build 9511 or later directly eliminates the unauthenticated RCE vulnerability in ConnectToHub as recommended in advisories.

prevent

Information input validation prevents the execution of malicious OS commands received from untrusted HTTP servers targeted by the ConnectToHub API.

prevent

Defining and limiting permitted actions without identification or authentication directly mitigates CWE-306 missing authentication for the critical ConnectToHub function.

References