CVE-2026-24423

CriticalCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 23 January 2026

Published

23 January 2026

Modified

06 February 2026

KEV Added

05 February 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8203 99.2th percentile

Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be…

executed by the vulnerable application.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patching to build 9511 or later directly eliminates the unauthenticated RCE vulnerability in ConnectToHub as recommended in advisories.

SI-10 Information Input Validation good match

prevent

Information input validation prevents the execution of malicious OS commands received from untrusted HTTP servers targeted by the ConnectToHub API.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Defining and limiting permitted actions without identification or authentication directly mitigates CWE-306 missing authentication for the critical ConnectToHub function.

Security SummaryAI

CVE-2026-24423 is an unauthenticated remote code execution vulnerability in SmarterTools SmarterMail versions prior to build 9511. The issue affects the ConnectToHub API method, stemming from CWE-306 (Missing Authentication for Critical Function). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

An unauthenticated remote attacker can exploit the vulnerability by tricking the SmarterMail instance into connecting to a malicious HTTP server controlled by the attacker. The server then delivers a malicious OS command, which the vulnerable application executes with the privileges of the SmarterMail process, enabling full server compromise including data exfiltration, modification, or disruption.

Advisories from VulnCheck and Code White detail the flaw, while SmarterTools release notes address it in build 9511 and later, recommending immediate upgrades for mitigation. The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, underscoring the need for urgent patching.

Details

CWE(s): CWE-306
KEV Date Added: 05 February 2026

Affected Products

smartertools

smartermail

≤ 100.0.9511

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated RCE in a public-facing webmail application (SmarterMail), directly enabling exploitation of public-facing applications via the ConnectToHub API.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
Third Party Advisory · disclosure@vulncheck.com
https://www.smartertools.com/smartermail/release-notes/current
Release Notes · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
Third Party Advisory · disclosure@vulncheck.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0