CVE-2026-23760

CRITICAL KEV RANSOMWARE NUCLEI

SmarterTools SmarterMail <9511 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-23760 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 26, 2026, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including hilwa24, MaxMnMl. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that demonstrates an authentication bypass and remote code execution (RCE) exploit for SmarterMail via CVE-2026-23760. The exploit resets the admin password and executes arbitrary commands using the `AddOrUpdateMount` endpoint.

Description

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

Exploits (2)

nomisec WORKING POC 2 stars
by hilwa24 · remote
https://github.com/hilwa24/CVE-2026-23760_SmarterMail-Auth-Bypass-and-RCE

This repository contains a Python script that demonstrates an authentication bypass and remote code execution (RCE) exploit for SmarterMail via CVE-2026-23760. The exploit resets the admin password and executes arbitrary commands using the `AddOrUpdateMount` endpoint.

Classification
Working Poc 95%
Attack Type
Rce | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SmarterMail (version not specified)
No auth needed
Prerequisites: Network access to the SmarterMail instance · API endpoints `/api/v1/auth/force-reset-password` and `/api/v1/settings/sysadmin/AddOrUpdateMount` must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by MaxMnMl · poc
https://github.com/MaxMnMl/smartermail-CVE-2026-23760-poc

This PoC demonstrates an authentication bypass in SmarterMail's password reset API, allowing unauthenticated attackers to reset the system administrator's password and achieve remote code execution via volume mount command injection.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SmarterTools SmarterMail versions prior to build 9511
No auth needed
Prerequisites: Knowledge of the administrator username
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SmarterTools SmarterMail - Admin Password Reset
CRITICALVERIFIEDby watchTowr,DhiyaneshDk
Shodan: html:"SmarterMail"

References (6)

Core 6
Core References

Scores

CVSS v3 9.8
EPSS 0.8165
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-01-26
VulnCheck KEV 2026-01-22
ENISA EUVD EUVD-2026-4143
Ransomware Use Confirmed
CWE
CWE-288
Status published
Products (1)
smartertools/smartermail < 100.0.9511
Published Jan 22, 2026
KEV Added Jan 26, 2026
Tracked Since Feb 18, 2026