Update now! Attackers take over SmarterMail instances as admin

Currently, attackers are targeting SmarterMail instances. If attacks are successful, they gain full control as administrators. A repaired version is available for download.

All three security vulnerabilities (CVE-2026-23760, CVE-2026-24423, CVE-2025-52691), which have since been closed in SmarterMail 100.0.9511, are classified with a threat level of “critical.” All previous versions are said to be vulnerable. According to the US security authority CISA, attackers are already exploiting the first two vulnerabilities.

Serious Dangers

In the first case, the password reset API is leaky, leading to errors when resetting system administrator accounts. Because insufficient checks are performed in this context, anonymous requests pass through, and attackers create admin accounts without authentication. Subsequently, they can access the host as root, which is equivalent to a complete compromise.

In the second case, attackers can force connections to an HTTP server under their control and serve malicious code through it. The third vulnerability is rated with the maximum CVSS score of 10 out of 10. At this point, remote attackers can upload and execute malicious code without logging in.

The extent to which the attacks are currently occurring is unknown. It is also unclear at this time how admins can identify already successfully attacked instances. The release notes for SmarterMail versions contain only extremely brief hints about the security problems.

In at least one case, it is clear that administrators must look for admin accounts unknown to them and delete them immediately. But then it is likely already too late, and attackers have set up a backdoor. Accordingly, administrators must keep an eye on log files and block suspicious network traffic.

(des)