Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jan 24, 2026 · 5 min read

Hackers Are Exploiting This Email Server Flaw to Take Over Admin Accounts

A critical authentication bypass in SmarterMail lets attackers reset admin passwords without credentials. The vulnerability was exploited in the wild just two days after a patch was released.

Server room with email servers, one highlighted with red warning glow indicating a security breach

If your organization runs SmarterMail, attackers may already have admin access to your email server.

Security researchers at watchTowr discovered a critical authentication bypass vulnerability in SmarterMail that allows unauthenticated attackers to reset administrator passwords and gain complete control of email servers. The flaw, now tracked as CVE-2026-23760, carries a severity rating of 9.3 out of 10.

The worst part: hackers began exploiting it just two days after the patch was released, suggesting they reverse engineered the fix to weaponize the vulnerability.

How the Attack Works

The vulnerability exists in SmarterMail's password reset API endpoint. The force-reset-password endpoint was intentionally designed to operate without authentication, but its implementation contained a critical flaw.

The endpoint accepts a JSON request with an IsSysAdmin boolean property. When an attacker sets this value to true, the backend executes administrator password reset logic without verifying the old password or any other credentials.

In other words: if you know the admin username (often just "admin"), you can reset the password to anything you want. No authentication required.

From Password Reset to Complete Server Takeover

While the vulnerability is classified as an authentication bypass, it provides a direct path to remote code execution with the highest possible privileges.

Once authenticated as a system administrator, attackers can navigate to Settings, then Volume Mounts, and create a new volume with an arbitrary command in the Volume Mount Command field. That command executes on the underlying operating system with SYSTEM level privileges.

This means attackers can:

  • Read all emails on the server
  • Send emails as any user
  • Install backdoors and malware
  • Pivot to other systems on the network
  • Exfiltrate sensitive data
  • Deploy ransomware

Timeline: From Disclosure to Exploitation

The speed at which this vulnerability went from patch to exploitation illustrates how quickly attackers can weaponize security fixes:

  • January 8: watchTowr reports the vulnerability to SmarterTools
  • January 15: SmarterMail releases Build 9511 with a fix, but no CVE is assigned
  • January 17: Researchers detect active exploitation in the wild, just two days after the patch
  • January 23: CVE-2026-23760 is officially assigned

The rapid exploitation suggests attackers analyzed the differences between the vulnerable and patched versions to understand the flaw. This technique, known as patch diffing, is increasingly common as attackers race to compromise systems before administrators can apply updates.

Who Is Affected

SmarterMail serves approximately 15 million users across 120 countries. The platform is particularly popular among:

  • Managed service providers
  • Small and medium businesses
  • Web hosting providers
  • Organizations seeking on premises email alternatives to cloud services

Any SmarterMail installation running a version prior to Build 9511 is vulnerable. Given the active exploitation, unpatched servers should be considered potentially compromised.

A Pattern of Email Server Vulnerabilities

This isn't the first critical SmarterMail vulnerability in recent months. In late 2025, a separate flaw (CVE-2025-52691) with the maximum severity score of 10.0 allowed unauthenticated file uploads, also leading to remote code execution.

According to Censys analysis, less than 1% of vulnerable SmarterMail instances were patched in the week following that disclosure, leaving nearly 11,000 servers exposed on the internet.

Email servers remain high value targets because they contain sensitive communications, provide trusted sending capability for phishing attacks, and often have network access that allows lateral movement to other systems.

Immediate Actions Required

If you run SmarterMail:

  1. Upgrade immediately to Build 9511 or later
  2. Review admin account activity for unauthorized password resets or suspicious logins
  3. Check Volume Mounts for any entries you didn't create
  4. Audit server processes for unexpected commands or services
  5. Review outbound email logs for signs of abuse
  6. Consider network isolation until patching is complete

If you discover evidence of compromise, treat the server as fully compromised. Attackers with SYSTEM access can install persistent backdoors that survive patches and even full software reinstallation.

The Bigger Picture

This vulnerability underscores a persistent challenge in email security: on premises email servers require constant vigilance. Unlike cloud email services that patch automatically, self hosted solutions depend on administrators to apply updates promptly.

The two day window between patch release and active exploitation leaves almost no margin for delay. Organizations running their own email infrastructure must treat critical security updates as emergencies, not routine maintenance.

For the 15 million users depending on SmarterMail servers, the security of their communications now depends entirely on how quickly their administrators act.