Full Report
A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management
Analysis Summary
# Vulnerability: SmarterMail Authentication Bypass Leading to RCE
## CVE Details
- CVE ID: Not Assigned (Tracked as WT-2026-0001)
- CVSS Score: Information Not Available (Likely Critical due to RCE potential)
- CWE: Information Not Available
## Affected Systems
- Products: SmarterTools SmarterMail email software
- Versions: Versions prior to Build 9511
- Configurations: Any configuration where an attacker knows an existing administrator username.
## Vulnerability Description
This critical vulnerability is an authentication bypass flaw associated with the `/api/v1/auth/force-reset-password` endpoint. An unauthenticated user can exploit this endpoint by sending a crafted HTTP request that includes the `IsSysAdmin` boolean flag set to "true", along with the targeted system administrator's username and a desired new password. The underlying logic fails to check for proper authentication, directly allowing the attacker to reset the password for any known admin account. Furthermore, once administrator access is obtained via credential reset, the flaw provides a direct path to Remote Code Execution (RCE) by using a built-in functionality that allows administrators to execute operating system commands via the "Volume Mount Command" field during the creation of a new volume mount.
## Exploitation
- Status: Exploited in the wild (Observed two days after patch release)
- Complexity: Low (Requires knowledge of an admin username and a simple HTTP request).
- Attack Vector: Network
## Impact
- Confidentiality: High (Full system access allows data exfiltration)
- Integrity: High (Ability to modify system/user configurations)
- Availability: High (Ability to execute OS commands can lead to system shutdown or data destruction)
## Remediation
### Patches
- Update to SmarterTools SmarterMail **Build 9511** (Released January 15, 2026).
### Workarounds
- No specific workarounds were detailed in the source material other than applying the patch. General mitigation advice would involve strict network restrictions on access to API endpoints if patching is delayed.
## Detection
- **Indicators of Compromise:** Monitoring logs for activity against the `/api/v1/auth/force-reset-password` endpoint originating from external/unauthenticated sources, particularly concurrent with administrator password changes. Logs showing execution of arbitrary OS commands via administrative settings interface (e.g., Volume Mount Commands) after January 17, 2026.
- **Detection methods and tools:** Web application firewalls (WAFs) or endpoint detection and response (EDR) systems should be configured to alert on suspicious POST requests to the mentioned API endpoint lacking session context.
## References
- Vendor Advisory/Patch Notes: smtps://www.smartertools.com/smartermail/release-notes/current\#:~:text=Build%209511%20%28Jan%2015%2C%202026
- WatchTowr Labs Tracking: hxxps://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/