Ddos 
Just weeks after a major vulnerability rocked the SmarterMail ecosystem, security researchers have uncovered a new, critical flaw that is already being weaponized in the wild. watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah have disclosed details of WT-2026-0001, an authentication bypass vulnerability that allows unauthenticated attackers to hijack administrative accounts and achieve full Remote Code Execution (RCE).
The discovery comes hot on the heels of a previous RCE incident. As the researchers wryly noted, the situation has “a timeline that is typically reserved for KEV hall-of-famers”.
The vulnerability lies within the force-reset-password API endpoint of the SmarterMail web interface. Intended for legitimate password recovery, the function failed to implement basic security checks for system administrators.
According to the report, the endpoint was marked to allow anonymous access, which is standard for reset flows. However, the critical failure occurred in the logic handling admin requests. “There are no security controls here. No authentication. No authorization. No verification of OldPassword”.
Attackers simply needed to send a JSON request with IsSysAdmin set to true, the target username, and a new password. The system would then overwrite the administrator’s credentials without validating the old password—a step that ironically was enforced for regular users.
“This is a complete authentication bypass for the system administrator account,” the researchers confirmed. “Enjoy your admin access!”.
The report highlights that threat actors are actively actively exploiting this flaw to seize control of email servers.
watchTowr received a tip from an anonymous reader whose logs showed suspicious activity just days after the vendor released a patch. “The smoking gun? The logs suggest that exploitation occurred two days after the patch was released”.
The provided logs reveal a efficient attack pattern:
- 10:51:58: Attacker logs in successfully as admin.
- 10:52:00: Attacker creates a malicious event.
- 10:52:04: Attacker creates a domain google.abc.com.
- 11:49:02: The log entry User @ successfully force-reset-password appears, which researchers identified as “the exact endpoint implicated in WT-2026-0001”.
Accessing the admin panel is only the first step. SmarterMail includes a feature for “Volume Mounts” that allows administrators to map storage drives. However, this feature effectively serves as a built-in backdoor for those with admin rights.
“SmarterMail exposes built-in functionality that allows a system administrator to execute operating system commands,” the report explains.
By creating a new volume and supplying an arbitrary command (such as cmd.exe /c calc) in the Volume Mount Command field, attackers can trigger immediate execution by the underlying OS . “In our proof of concept, this results in a SYSTEM-level shell on the target host”.
SmarterTools released Build 9511 on January 15, 2026, to address this vulnerability. The patch adds a validation step that checks the user’s old password before allowing a reset.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
