Description
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Published: 2026-01-23
Score: 9.3 Critical
EPSS: 80.3% High
KEV: Yes
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SmarterMail applications before build 9511 have an unauthenticated remote code execution vulnerability in the ConnectToHub API. When an attacker points the mail server at a malicious HTTP server that returns an OS command, the command is executed by the vulnerable application. This flaw allows, based on inference, anyone who can send requests to the API to run arbitrary commands with the privileges of the SmarterMail process, compromising confidentiality, integrity and availability.

Affected Systems

The vulnerability affects SmarterMail from SmarterTools, specifically all builds prior to 9511. Administrators should check the build number of their installation and upgrade if it is below 9511.

Risk and Exploitability

The CVSS score of 9.3 indicates critical impact, and an EPSS score of 0.8% indicates a very low likelihood of exploitation. The vulnerability is listed in the CISA KEV catalog, underscoring that it is actively exploited. Exploitation requires no authentication and can be performed over the network by directing the service to the attacker-controlled server. Because the flaw is a lack of authentication (CWE-306), attackers can access the endpoint freely, escalating to remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SmarterMail to build 9511 or later, following the vendor’s release notes.
  • If an upgrade is not immediately possible, restrict external access to the ConnectToHub API by firewall or network segmentation.
  • Disable or restrict use of the ConnectToHub endpoint until the patch is applied, using application configuration or access controls.

Generated by OpenCVE AI on April 18, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-02-05T00:00:00+00:00', 'dueDate': '2026-02-26T00:00:00+00:00'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Smartertools
Smartertools smartermail
Vendors & Products Smartertools
Smartertools smartermail

Fri, 23 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Title SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Smartertools Smartermail
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:27.539Z

Reserved: 2026-01-22T18:21:46.813Z

Link: CVE-2026-24423

cve-icon Vulnrichment

Updated: 2026-01-23T18:35:36.880Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T17:16:13.483

Modified: 2026-02-06T16:45:15.323

Link: CVE-2026-24423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses