🔴 CVE-2026-24423

Critical unauthenticated remote code execution vulnerability in SmarterMail servers through the ConnectToHub API method. Attackers can execute arbitrary OS commands by pointing the server to a malicious HTTP server, with active exploitation confirmed by CISA KEV listing.

← Back to Overview
HIGH_RISK
Risk Level
9.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+9d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-23

Added to CISA KEV: 2026-02-05 13 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-06)

CVE-2026-24423 is a critical vulnerability affecting SmarterTools SmarterMail servers, allowing unauthenticated attackers to execute arbitrary operating system commands by exploiting the `ConnectToHub` API [1][2].

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability directly impacts SmarterMail servers, which are often internet-facing to provide email services.
  • Evidence of Active Exploitation: Yes, there is evidence of active exploitation in the wild [1][4]. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, indicating that it has been actively exploited [3][4].
  • Attack Vectors and Exploitation Methods: The primary attack vector involves tricking the SmarterMail server into executing arbitrary OS commands through the `ConnectToHub` API, bypassing authentication [1][2].
  • Targeted Attacks: While specific targeting details are not always disclosed, the exploitation has been linked to ransomware attacks [1]. This suggests that malicious actors are using this vulnerability to gain full compromise of enterprise mail environments.
  • CISA Known Exploited Vulnerabilities Status: CVE-2026-24423 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog [1][4]. This inclusion signifies that CISA has confirmed evidence of active exploitation.
  • Technical Details about Internet Exploitability: The vulnerability allows for unauthenticated remote code execution (RCE) on SmarterMail servers [1][2]. This means an attacker does not need any credentials or prior access to exploit the vulnerability, making it highly dangerous for internet-exposed instances. This is the third SmarterMail vulnerability added to the KEV catalog since late January 2026, with previous ones including CVE-2025-52691 (a CVSS 10.0 unauthenticated RCE) and CVE-2026-23760 (an authentication bypass) [1]. These vulnerabilities can be chained together to achieve full compromise.

Sources

  1. SmarterMail Flaw Exploited in Ransomware Attacks | ProbablyPwned

    CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.This is the third SmarterMail vulnerability to land in the CISA KEV catalog since late January, following CVE-2025-52691 (a CVS…

  2. CVE-2026-24423: The 'Hub' of All Evils: SmarterMail Unauth RCE | CVEReports

    A critical authentication bypass in SmarterTools SmarterMail allows unauthenticated attackers to trick the server into executing arbitrary OS commands by abusing the 'ConnectToHub' API.

  3. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  4. CISA Adds Four Known Exploited Vulnerabilities to Catalog

    CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed