SmarterMail Email Server Under Attack
A critical authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool is being actively exploited by hackers. This vulnerability allows unauthenticated attackers to reset the system administrator password and obtain full privileges.
What is the Vulnerability?
The issue is with the force-reset-password API endpoint, which is intentionally exposed without authentication. This means that anyone who knows or guesses an admin username could set a new password and hijack the account.
Who is Affected?
The flaw affects only admin-level accounts, not regular users. SmarterMail is typically used by managed service providers, small and medium-sized businesses, and hosting providers offering email services.
What to Do?
Users of SmarterMail are recommended to upgrade to the latest version of the software, Build 9511, released on January 15, that addresses both issues. The vulnerability has received the identifier CVE-2026-23760, rated critical (CVSS score: 9.3).