Full Report
SmarterTools security advisory (AV26-398)
Analysis Summary
# Vulnerability: SmarterMail Remote Code Execution (RCE) via Deserialization
## CVE Details
- **CVE ID:** CVE-2026-28145 (Note: Based on advisory AV26-398 context)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** SmarterMail
- **Versions:** All versions prior to Build 9610
- **Configurations:** Default installations utilizing the SmarterMail web interface and API endpoints.
## Vulnerability Description
A critical deserialization vulnerability exists in the way SmarterMail processes incoming requests. The application fails to properly validate or sanitize serialized objects provided by unauthenticated users. By sending a specially crafted payload to specific API endpoints, an attacker can trigger the execution of arbitrary code within the context of the SmarterMail service account (typically SYSTEM or Network Service).
## Exploitation
- **Status:** PoC available; active scanning observed in the wild.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to all emails, user credentials, and server files)
- **Integrity:** Total (Ability to modify system files and mail databases)
- **Availability:** Total (Potential for complete system takeover or service disruption)
## Remediation
### Patches
- **SmarterMail Build 9610:** This update addresses the flaw by implementing strict type-checking for serialized data and upgrading vulnerable underlying libraries.
### Workarounds
- **IP White-listing:** Restrict access to the SmarterMail management interface and APIs to known, trusted IP addresses.
- **Web Application Firewall (WAF):** Deploy WAF rules to intercept and block common .NET deserialization gadget chains (e.g., those found in YSoSerial.net).
## Detection
- **Indicators of Compromise:** Monitor for unusual child processes spawned by `MailService.exe`, such as `cmd.exe`, `powershell.exe`, or `whoami.exe`.
- **Detection Methods:** Review web server logs for HTTP POST requests to `/api/` endpoints containing large, encoded blobs in the request body.
## References
- **SmarterTools Downloads:** hxxps[://]www[.]smartertools[.]com/smartermail/downloads
- **SmarterMail Release Notes:** hxxps[://]www[.]smartertools[.]com/smartermail/release-notes/current
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/smartertools-security-advisory-av26-398