Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical SmarterMail vulnerability under attack, no CVE yet

A SmarterMail flaw (WT-2026-0001) is under active attack just days after its January 15 patch, with no CVE assigned yet. A newly disclosed flaw in SmarterTools SmarterMail is being actively exploited just two days after a patch was released. The issue, tracked as WT-2026-0001 and lacking a CVE, was fixed on January 15, 2026, with […]

SmarterTools SmarterMail

A SmarterMail flaw (WT-2026-0001) is under active attack just days after its January 15 patch, with no CVE assigned yet.

A newly disclosed flaw in SmarterTools SmarterMail is being actively exploited just two days after a patch was released. The issue, tracked as WT-2026-0001 and lacking a CVE, was fixed on January 15, 2026, with Build 9511 after responsible disclosure by watchTowr Labs.

SmarterTools SmarterMail is a commercial email server software designed for businesses and service providers. It provides enterprise-level email, calendar, contacts, tasks, and collaboration features.

The flaw is an authentication bypass that lets attackers reset the SmarterMail administrator password via a specially crafted request to the force-reset-password API endpoint.

The vulnerabilities lies in SmarterMail’s APT unauthenticated ForceResetPassword, which trusts an IsSysAdmin flag.

“You may notice that this API endpoint accepts the ForceResetPasswordInputs object, which can be deserialized from the JSON.” reads the report published by Watchtowr.”It has several interesting properties that can be controlled by the user:

  • IsSysAdmin
  • Username
  • OldPassword
  • NewPassword
  • ConfirmPassword

That combination is immediately unusual. Password reset flows typically rely on a second factor or out-of-band proof of control – for example, a secret token delivered via email.”

By setting it to true, an attacker can reset an administrator’s password via a crafted HTTP request, gaining admin access.

This bypass can then be escalated to remote code execution by abusing built‑in admin features to run arbitrary OS commands, leading to SYSTEM‑level access.

“There are no security controls here. No authentication. No authorization. No verification of OldPassword. Despite the API requiring an OldPassword field in the request, it is never checked when resetting a system administrator’s password.” continues the report.

“Ironically, the regular user password reset flow does validate the existing password. The privileged path does not.”

The researchers pointed out that although classified as an authentication bypass, the SmarterMail flaw enables full remote code execution. After gaining system admin access, attackers can use the Volume Mounts feature to run arbitrary OS commands, achieving SYSTEM-level control.

The researchers created a proof of concept that allows achieving a SYSTEM-level shell on the target host.

The issue was patched in version 9511 on January 15, 2026, and is actively exploited. On patched systems, exploit attempts fail due to added password validation checks. No CVE has been assigned yet.

“Once again, this demonstrates that attackers actively monitor release notes and perform patch diffing on high-value targets. Together, friends, we have learned this the hard way today with WT-2026-0001.” concludes the report.

“Given that this vulnerability is already under active exploitation, upgrading is not optional.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SmarterTools SmarterMail)