SmarterMail Joined CISA KEV With Two CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To OS Shell Without Touching A Password.

CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication bypass in the password-reset API. CVE-2026-24423 is a missing-authentication flaw in a different API that ends in remote code execution. Each one is a serious finding on its own. Chained, they are a fully unauthenticated path from the open internet to an OS shell on the mail server.

This is a long-form analysis because the chain matters more than either CVE in isolation, and because mail servers as a class of internet-exposed asset are an underrated soft surface in most defenders' threat models. We are publishing it because we have no prior coverage of SmarterMail in the DugganUSA archive. That gap closes today.

SmarterMail in one paragraph

SmarterMail is a Windows-native mail server developed by SmarterTools. It runs on Windows Server, ships an admin web UI, a webmail client, an Exchange Web Services compatibility layer, and an IMAP/POP/SMTP backend in a single deployment. It is popular with hosting providers, small and midsize businesses, MSPs running shared mail for clients, and law firms or accounting practices that prefer a self-hosted mail platform without the operational weight of Exchange. Public Shodan data has historically shown several thousand instances exposed to the internet on the admin port. Real numbers vary by quarter, but the ballpark is in the low five figures for SmarterMail surfaces reachable from anywhere.

CVE-2026-23760 — the front door is unlocked

The first vulnerability is an authentication bypass in the password-reset API. The specific endpoint is a force-reset-password handler that, in vulnerable versions, accepts anonymous requests. There is no existing-password check. There is no reset-token check. There is no email-loop confirmation. The handler takes a target administrator username and a new password as parameters and writes the new password into the account.

In plain language: any unauthenticated attacker who can reach the SmarterMail admin endpoint over the network can pick a target administrator account by username — admin is the obvious default — and replace its password with one of their choosing. After the request, they hold valid administrator credentials.

This class of flaw is sometimes called an alternate-path authentication bypass. The intended path for resetting a password requires a reset token issued through a verified email flow. The vulnerable path bypasses the token requirement entirely. The two paths existed in parallel in the routing layer and only one of them had the guard.

CVSS for CVE-2026-23760 is high, but the severity number understates the operational reality. An anonymous attacker pivots to administrator in a single HTTP request. Detection on the wire requires being able to inspect POST bodies to the password reset endpoint. Detection on the server requires audit logs that record the source IP and the unauthenticated nature of the request, which depends on logging configuration that not every operator has tuned in.

CVE-2026-24423 — the second door is also unlocked, and it leads to a shell

The second vulnerability is in the ConnectToHub API method. Per the CISA KEV description, ConnectToHub is missing authentication for a critical function. The function in question, in normal operation, allows an authenticated administrator to point the SmarterMail instance at a SmarterTools hub for cloud features. In the vulnerable build, the endpoint accepts unauthenticated calls and allows the caller to specify an arbitrary HTTP server as the hub target.

Once the SmarterMail instance is pointed at an attacker-controlled server, the server can respond with payloads that the ConnectToHub flow processes. The processing path includes operating-system command execution as part of the integration handshake. The result is remote code execution as the SmarterMail service account, which on a Windows host is typically a service-tier account with enough rights to read configuration, dump mail stores, persist scheduled tasks, and pivot.

CVE-2026-24423 is the more serious of the two on its face because it goes directly to code execution. But it has historically been described in research notes as requiring administrator context to reach the vulnerable function in the first place. Whether the production flaw is fully pre-authentication or requires the admin context depends on the deployment and the version. That ambiguity is what makes the chain with CVE-2026-23760 the load-bearing risk.

The chain — five steps, no credentials required

Here is the operational attack chain, end to end. Read it as a sequence and notice that no step requires anything more than HTTP access to the SmarterMail instance.

Step one. The attacker discovers a SmarterMail instance reachable on the internet. Shodan, Censys, or simple HTTP fingerprinting on common SmarterMail ports finds them. The fingerprint is distinctive. The admin login page and the webmail page both carry SmarterMail branding in HTML and in HTTP response headers, so a worldwide enumeration takes a single afternoon and a low-rent VPS budget.

Step two. The attacker sends an anonymous POST to the force-reset-password endpoint specifying admin as the target user and a password of their choosing. CVE-2026-23760. No token. No email confirmation. The server returns success.

Step three. The attacker logs into the admin web UI with admin and their freshly chosen password. They are now an authenticated administrator on the target mail server. Mail stores, user lists, mailbox contents, archived legal-hold data, calendar entries, distribution lists, and connector configurations are all in reach. For many SmarterMail deployments — law firms, MSPs holding mail for dozens of client tenants, healthcare adjacents that route patient communications through SmarterMail — this is already the entire breach. The attacker does not need step four to exfiltrate value.

Step four. With the admin context in hand, the attacker calls the ConnectToHub API and supplies an attacker-controlled HTTP server as the hub endpoint. CVE-2026-24423. The SmarterMail instance reaches out to the attacker server and processes the response. If the deployment is one of the configurations where ConnectToHub is reachable without authentication at all, step three is skippable and the chain compresses to two requests.

Step five. The attacker-controlled hub responds with a payload that triggers OS command execution as the SmarterMail service account. The attacker now has a shell on a Windows host that, by definition, holds inbound mail flow for one or more domains, has SMTP relay rights, and sits inside the trust boundary that the rest of the corporate network extends to its own mail server.

The total wire-level footprint is small. Two to three HTTP requests is enough to go from unauthenticated stranger to code execution. There are no exploits to fuzz, no buffer offsets to tune, no ASLR to defeat. The bugs are logic bugs in routing and authentication, and logic bugs are stable across patch versions in a way that memory-corruption bugs are not. A working chain written this week will keep working against unpatched servers next year.

Why mail servers are the wrong soft surface to ignore

Mail servers occupy a position in most network architectures that is almost designed for lateral movement once compromised. The mail server has internet exposure on purpose. It has inbound SMTP, outbound SMTP, IMAP for clients, EWS for Outlook compatibility, an admin panel, and a webmail panel. It holds long-term archives of every message that has crossed the organization. It is permitted to relay mail to external recipients, which means a compromised mail server is a credible phishing platform that sends from real, trusted, SPF-aligned, DKIM-signed domains.

In MSP and hosting-provider deployments the multiplier is worse. A single SmarterMail instance often holds mail for dozens or hundreds of client tenants. One compromised server is a tenant-wide compromise across an entire customer book of business. The blast radius is set by the deployment model, not by the CVE.

Compared to the perimeter assets that get most of the patch-management attention — VPN concentrators, firewalls, identity providers — mail servers are under-monitored in the average shop. Defender XDR, CrowdStrike, SentinelOne, and the other endpoint suites will catch the post-exploitation behavior if the mail server has an agent deployed. The honest reality is that a lot of small and midsize Windows mail servers do not have endpoint agents on them at all, because they predate the rollout, because the procurement was a one-time line item, or because the operator decided that mail was "not a workstation."

What you should do today

If you operate SmarterMail, the action list is short.

Identify whether you are exposed. Pull a list of every SmarterMail host in your estate. Check the version against the patched build SmarterTools has published in their advisory tied to these two CVEs. The vendor advisory is the source of truth for the exact fixed version numbers, since SmarterTools issues patches as point releases within the major version tree.

Patch. Apply the SmarterMail update from SmarterTools that addresses both CVEs. Reboot the host or restart the SmarterMail Windows service as the vendor instructs. Do not assume a one-CVE patch covers both — confirm from the release notes that both 23760 and 24423 are in the fixed build.

If you cannot patch in the same business day, restrict access. Limit the admin panel and the API endpoints to a management VLAN, a VPN, or a small allowlist of source IPs. The webmail surface and the SMTP listener can remain public for service availability, but the admin and API surfaces should not be reachable from the open internet under any deployment model that values its mail.

Audit recent administrator activity. Pull SmarterMail audit logs for password resets that happened without a corresponding ticket or user-initiated flow. Pull Windows event logs for the SmarterMail service account showing unusual process creation, especially outbound HTTP requests from the service to unexpected hosts. The signature of a successful chain exploitation is a password-reset event followed by an administrator login from an unfamiliar IP followed by service-account process activity that reads as anomalous.

Rotate. If you find any indication that an administrator account was reset outside of normal operations, treat the host as compromised. Rotate every administrator password, every API key, every connector credential, and every shared service account. Force every user to reset their mailbox password and re-issue device app passwords. Examine mailbox forwarding rules and outbound queues for attacker-introduced changes. Phishing from a compromised real mail server is one of the highest-fidelity post-exploitation outcomes that exists, and the cleanup has to include the mail-flow side as well as the host side.

Hunt across the perimeter even if you do not run SmarterMail. The detection patterns generalize. Anomalous POSTs to authentication-flow endpoints, anonymous calls to administrative APIs, and outbound HTTP from a service account to a low-reputation host are universal signals that the same shape of bug in any product would surface.

What this fits into

Two themes. First, the soft-surface bleed pattern. The hard perimeter — firewalls, EDR, MFA on knowledge-worker accounts — generally holds in well-instrumented environments. The soft surfaces — mail servers, supply chain dependencies, third-party integrations, service accounts, vendor portals — are where the breaches actually land. Four of the last five public breaches that crossed our coverage threshold this quarter started on a soft surface, not the hard perimeter. Mail servers are squarely in that category.

Second, the CISA KEV cadence. CISA added these two CVEs on May 13. The federal patch deadline for KEV entries is typically three weeks. That window is for federal civilian agencies. For private-sector defenders, the actionable window is the next several days. Active exploitation evidence is the entry criterion for the KEV catalog. By the time a CVE is on KEV, it is being used in the wild, and the gap between KEV listing and broad opportunistic scanning is measured in days, not weeks.

If you read this far and you do not run SmarterMail, the takeaway is the pattern. Two CVEs on the same vendor, same product, same day, that chain together to give an unauthenticated attacker an OS shell, is the shape of bug that recurs across the entire mail-server category. Last year it was a Zimbra chain. The year before that it was an Exchange chain. This year, this week, it is SmarterMail. The category-level lesson — mail servers are internet-exposed lateral-movement multipliers and deserve perimeter-asset levels of patch discipline — has not changed.

Where we sit

We had no prior SmarterMail coverage. That gap is closed by this writeup. Going forward, our iocs index will tag SmarterMail-attributable indicators against these two CVE identifiers, and our STIX feed customers will see the indicators flow through with the normal lead time once active exploitation campaigns produce attributable infrastructure. If your detection stack consumes our feed, this is the kind of pattern we instrument for. If it does not yet, the registration link is in the footer of the blog.

Patch today. Restrict the admin surface tomorrow. Audit on Monday. The chain is two requests long, the surface is internet-facing by definition, and the exploitation cost to an attacker is approximately one afternoon.

Sources: CISA Known Exploited Vulnerabilities Catalog entries for CVE-2026-23760 and CVE-2026-24423, added May 13, 2026. SmarterTools security advisory for the SmarterMail release that addresses both CVEs. DugganUSA internal coverage gap confirmed against the iocs and blog indexes on May 15, 2026.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.