SmarterMail Flaw Exploited in Ransomware Attacks

CISA added a third SmarterMail vulnerability to its Known Exploited Vulnerabilities catalog this week after confirming that ransomware operators are chaining it with previously disclosed flaws to take over email servers. CVE-2026-24423, a missing authentication flaw in SmarterMail's ConnectToHub API, allows unauthenticated attackers to execute arbitrary operating system commands on affected servers.

This is the third SmarterMail vulnerability to land in the CISA KEV catalog since late January, following CVE-2025-52691 (a CVSS 10.0 unauthenticated RCE) and CVE-2026-23760 (an authentication bypass for admin password resets). Together, these three flaws form an exploit chain that ransomware groups are using to fully compromise enterprise mail environments.

How the Attack Works

The vulnerable endpoint sits at /api/v1/settings/sysadmin/connect-to-hub and accepts unauthenticated POST requests. Attackers supply a malicious hubAddress parameter that points the SmarterMail instance at an attacker-controlled HTTP server. That server responds with JSON containing a CommandMount parameter—and whatever value it holds gets executed as an OS command on the SmarterMail host.

According to researchers at WatchTowr, who documented the flaw alongside researchers from CODE WHITE GmbH and VulnCheck, the endpoint effectively hands remote command execution to anyone who can reach it over the network. Alternative endpoint paths (/web/api/node-management/setup-initial-connection and /web/api/hub-connection/setup-initial-connection) are also affected.

Once inside, attackers deploy privilege escalation tools, run network discovery utilities to map the internal environment, and ultimately push ransomware payloads to encrypt files across the network. The full chain—from initial access to encryption—requires no credentials at any stage when all three SmarterMail CVEs are combined. The pattern mirrors what we saw with SolarWinds Web Help Desk exploitation earlier this month, where CISA gave federal agencies just three days to patch a similarly weaponized flaw.

Who's Affected

SmarterMail versions before v100.0.9511 are vulnerable. SmarterTools' mail server product is popular with small and mid-size businesses, managed service providers, and hosting companies that offer email services. The self-hosted nature of these deployments means many run on-premises with direct internet exposure—exactly the conditions attackers need.

Federal agencies face a February 26, 2026 remediation deadline under CISA's Binding Operational Directive 22-01. But given active ransomware exploitation, waiting three weeks to patch would be reckless for any organization.

What to Do Now

Update SmarterMail to the latest build immediately. If patching isn't possible right away, restrict access to the vulnerable API endpoints at the network level—block external access to /api/v1/settings/sysadmin/connect-to-hub and the alternative paths listed above.

Review server logs for suspicious POST requests to these endpoints. Any interaction from external IPs should be treated as a potential compromise indicator. Organizations already running older SmarterMail versions should also verify they've addressed the earlier CVEs—attackers are chaining all three together, so leaving any one unpatched keeps the door open.

Why This Matters

SmarterMail has become a serial offender in 2026. Three exploited vulnerabilities in roughly six weeks points to fundamental problems in the product's security architecture, particularly around API authentication. For organizations still running SmarterMail, this pattern should prompt a serious conversation about whether the platform belongs in their environment at all. Email servers sit at the intersection of credential storage, sensitive communications, and internal network access—exactly the kind of high-value target that ransomware operators prioritize.

The broader trend is clear: attackers aren't just finding individual bugs. They're building exploit chains that combine multiple flaws into reliable, automated attack sequences. Defenders need to think the same way—patching one CVE while ignoring others in the same product leaves the chain intact.