Threat actors started exploiting an authentication bypass vulnerability in the SmarterTools SmarterMail business email and collaboration server roughly two days after patches were released, security researchers warn.
Tracked as CVE-2026-23760 (CVSS score of 9.3), the security defect impacts the password reset API of the application and allows attackers to reset passwords without authentication.
The issue exists because the force-reset-password function allows unauthenticated requests containing user-control parameters and does not verify the old password or a reset token for administrator accounts.
This enables an attacker who knows an administrator’s username to reset the account’s password without authentication and take control of the vulnerable SmarterMail instance.
According to WatchTowr, the flaw can be exploited for remote code execution (RCE) through SmarterMail functionality that enables a system administrator to execute operating system commands.
After resetting an admin’s account, the attacker can create a new volume in the settings menu and include a command in the Volume Mount Command field. Because the command is executed by the underlying OS, the attacker achieves complete RCE on the host.
The authentication bypass issue was addressed in SmarterMail version 9511, which was released on January 15.
WatchTowr says it has seen widespread exploitation of CVE-2026-23760 for nearly a week and assumes that threat actors have reverse-engineered the fix.
“We’re seeing active, widespread exploitation of a new bug that received a patch less than a week ago. The fix has already been reverse-engineered, and exploitation leads straight to full RCE,” WatchTowr founder and CEO Benjamin Harris told SecurityWeek.
On Thursday, Huntress warned that hackers have been exploiting the application’s System Events functionality in attacks targeting the SmarterMail authentication bypass.
The cybersecurity firm observed threat actors making HTTP POST requests to vulnerable instances to exploit CVE-2026-23760, obtain valid access tokens, configure a malicious System Event, add a new domain to SmarterMail, and perform clean-up operations.
Likely meant for reconnaissance, the malicious System Event was triggered by the addition of the new domain, Huntress says.
Users should update their SmarterMail instances to a patched release as soon as possible.
“Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection,” Huntress notes.
Related: Old Attack, New Speed: Researchers Optimize Page Cache Exploits
Related: Cisco Patches Vulnerability Exploited by Chinese Hackers
Related: Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure
Related: Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks
