DE&TH to Vulnerabilities: Huntress Catches SmarterMail Account Takeover Leading to RCE

Background / Summary 

The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability (CVE-2026-23760) in SmarterTool’s SmarterMail application that has resulted in successful remote code execution. Our testing has indicated that versions of SmarterMail prior to Build 9511 are vulnerable. Users of SmarterMail are urged to upgrade to the latest version, Build 9511, released on January 15, 2026.

Note that this is separate from the ongoing mass exploitation of CVE-2025-52691, an arbitrary file upload vulnerability in SmarterMail that also leads to remote code execution. At the time of writing Huntress contacted SmarterTools and held off publishing whilst CVE-2026-23760 was published as it was already in the process of being disclosed by WatchTowr. Despite this, Huntress has observed a different method being used for remote code execution in the wild.

In-depth analysis of the threat 

Huntress’ DE&TH Team has observed in-the-wild exploitation of a privileged account takeover vulnerability within the SmarterMail application. Once exploited, the threat actor used a hijacked privileged account to access the SmarterMail System Events functionality, wherein malicious System Events were created to execute reconnaissance commands on vulnerable hosts.

A review of the relevant application logs on exploited hosts has shown that the threat actor(s) made a series of HTTP POST requests to the SmarterMail application to achieve their objectives.

Table 1 (below) presents the requests in the order in which they were observed, along with a corresponding note to detail their relevance in the attack.

These requests were made in quick succession across multiple customers, suggesting mass automated exploitation.

Vulnerability analysis

Comparing version 9504 which was released on January 8, and 9511 which was released on January 15th, we can see the root cause of the vulnerability being fixed, whereby it previously didn’t check if the old password submitted to /api/v1/auth/force-reset-password was valid or not.

Figure 1: Comparison of SmarterMail binary versions 9504 and 9511

Huntress has successfully created an exploit for the aforementioned vulnerability which demonstrates that a privileged user’s password can be changed without authentication.

Conclusion

Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection. 

Indicators of compromise