Critical unauthenticated remote code execution vulnerability in SmarterMail servers through the ConnectToHub API method. Attackers can execute arbitrary OS commands by pointing the server to a malicious HTTP server, with active exploitation confirmed by CISA KEV listing.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-23
Added to CISA KEV: 2026-02-05 13 DAYS BETWEEN CVE AND KEV
CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.This is the third SmarterMail vulnerability to land in the CISA KEV catalog since late January, following CVE-2025-52691 (a CVSS 10.0 unauthenticated RCE) and CVE-2026-23760 (an authentication bypass for admin password resets). Together, these three flaws form an exploit chain that ransomware groups are using to fully compromise enterprise mail environments.
A critical authentication bypass in SmarterTools SmarterMail allows unauthenticated attackers to trick the server into executing arbitrary OS commands by abusing the 'ConnectToHub' API.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ...
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.