Fresh SmarterMail Flaw Exploited for Admin Access

Threat actors started exploiting an authentication bypass vulnerability in the SmarterTools SmarterMail business email and collaboration server roughly two days after patches were released, security researchers warn.

Tracked as CVE-2026-23760 (CVSS score of 9.3), the security defect impacts the password reset API of the application and allows attackers to reset passwords without authentication.

The issue exists because the force-reset-password function allows unauthenticated requests containing user-control parameters and does not verify the old password or a reset token for administrator accounts.

This enables an attacker who knows an administrator’s username to reset the account’s password without authentication and take control of the vulnerable SmarterMail instance.

According to WatchTowr, the flaw can be exploited for remote code execution (RCE) through SmarterMail functionality that enables a system administrator to execute operating system commands.

After resetting an admin’s account, the attacker can create a new volume in the settings menu ...