CVE-2026-23760

CVE-2026-23760 is an authentication bypass vulnerability (CWE-288) affecting SmarterTools SmarterMail versions prior to build 9511. The issue resides in the password reset API, specifically the force-reset-password endpoint, which allows anonymous requests without verifying the existing password or a reset token for system administrator accounts. This flaw enables attackers to reset admin credentials directly, leading to full administrative compromise of the SmarterMail instance. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

An unauthenticated attacker can exploit this vulnerability remotely by supplying a target system administrator username and a new password to the force-reset-password endpoint. Successful exploitation grants full administrative privileges within SmarterMail, which includes the ability to execute operating system commands through built-in management functionality. This effectively provides administrative access (SYSTEM on Windows or root on Linux) to the underlying host, allowing arbitrary code execution, data exfiltration, persistence, and further lateral movement.

Advisories from vendors and researchers, including SmarterTools release notes, VulnCheck, WatchTowr Labs, and Code White, recommend upgrading to SmarterMail build 9511 or later, where the authentication checks have been implemented to prevent unauthorized resets. No workarounds are detailed beyond patching, emphasizing the need for immediate updates due to the anonymous exploitability.

This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating real-world exploitation by attackers, potentially leveraging decompilers for reverse engineering as noted in some analyses. Security practitioners should prioritize scanning for vulnerable SmarterMail instances and monitor for signs of admin account resets.