Full Report
SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API
Analysis Summary
# Vulnerability: Critical Unauthenticated Remote Code Execution in SmarterMail via ConnectToHub API
## CVE Details
- CVE ID: CVE-2026-24423
- CVSS Score: 9.3 (Critical)
- CWE: Not specified in context.
## Affected Systems
- Products: SmarterTools SmarterMail
- Versions: Versions prior to build 9511
- Configurations: Any configuration running the vulnerable version.
## Vulnerability Description
The vulnerability is an unauthenticated Remote Code Execution (RCE) flaw residing in the `ConnectToHub API` method within SmarterMail. An attacker can exploit this by pointing the vulnerable SmarterMail instance to a malicious HTTP server. This malicious server serves operating system commands, which are then executed by the vulnerable application.
## Exploitation
- Status: Not explicitly stated as exploited in the wild for this specific CVE in the provided text (unlike CVE-2026-23760).
- Complexity: Implied Low due to the "unauthenticated" nature of the flaw.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Likely complete system compromise possible via RCE)
- Integrity: High (Likely complete system compromise possible via RCE)
- Availability: High (Likely denial of service or full system takeover resulting in unavailability)
## Remediation
### Patches
- The vulnerability is addressed in **Build 9511** (released January 15, 2026).
- *Note: Build 9518 (released January 22, 2026) also addresses this and other recent flaws.*
### Workarounds
- No specific workarounds were mentioned in the provided text, but immediate patching is strongly advised due to the RCE nature and the active exploitation of co-occurring vulnerabilities.
## Detection
- Detection methods are not detailed for this specific CVE in the provided text.
- Mitigation relies on immediate patching. Users should monitor outbound network traffic for unexpected connections to external HTTP servers originating from the SmarterMail service account or process, especially those attempting to deliver commands.
## References
- Vendor advisory/Release Notes: [smartertools.com/smartermail/release-notes/current](https://www.smartertools.com/smartermail/release-notes/current) (This link may lead to the specific build fix notes)
- CVE Record: [cve.org/CVERecord?id=CVE-2026-24423](https://www.cve.org/CVERecord?id=CVE-2026-24423)