Security researchers identified the flaws through daily HTTP vulnerability scans, and exploitation attempts have already been observed in the wild.
This represents a significant threat to organizations worldwide relying on SmarterMail for enterprise email operations.
The vulnerability carries a CVSS score of 9.3, indicating extreme risk to affected systems.
The flaw exists in the /api/v1/auth/force-reset-password endpoint, which permits unauthenticated requests without requiring password verification or reset tokens when targeting administrator accounts.
An attacker exploiting this vulnerability can supply any administrator username with a new password, achieving immediate administrative account takeover.
Critically, SmarterMail administrators have built-in functionality that enables direct execution of operating system commands through the Settings interface, effectively elevating the compromise to SYSTEM-level access on the underlying host.
Multiple security organizations have confirmed active exploitation since at least January 17, 2026, just two days after the patch release.
Huntress Labs observed threat actors using the compromised administrator accounts to create malicious System Events configured to execute reconnaissance commands on vulnerable hosts.
The attack chain demonstrates a sophisticated understanding of SmarterMail architecture, with attackers systematically resetting accounts, obtaining authentication tokens, and installing persistent backdoors.
Watchtowr Labs received anonymous reports confirming threat actors exploiting the vulnerability in production environments.
Particularly concerning, given that attackers actively monitor release notes and perform patch diffing to reverse-engineer vulnerabilities.
Shadowserver’s geographically distributed scanning reveals vulnerable instances across multiple continents, though the exact regional breakdown has not been publicly detailed.
The discovery of 6,000 vulnerable IPs underscores the significant attack surface, particularly as many organizations remain unaware of available patches.
SmarterTools strongly recommends updating to the latest build immediately. Organizations should prioritize patching as attackers actively target unpatched instances, with no evidence of slowing exploitation attempts.
Security teams should review administrator account activity logs for unauthorized password resets. Investigate potential web shells or malware installed via exploitation, and confirm system backups remain uncompromised.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 6000+ Vulnerable SmarterTools SmarterMail Servers Exposed to Actively Exploited RCE Vulnerability appeared first on Cyber Security News.
Workday has announced major updates to its Contract Lifecycle Management solution, powered by Evisort. After acquiring…
Gong has launched Mission Andromeda—a major new release that also adds a new product to…
Thomson Reuters has announced that CoCounsel, its professional-grade AI technology, now has over 1 million…
This article contains spoilers for the first four episodes of DTF St. Louis… but not…
Surgent Studios, the developer behind Tales of Kenzara: ZAU, has unveiled its next game today,…
The end of an era that was, frankly, way too short. Creators Michael Cusack and…
This website uses cookies.