CVE-2026-24423

CRITICAL KEV RANSOMWARE NUCLEI

SmarterTools SmarterMail <9511 - RCE

Title source: llm

Exploitation Summary

CVE-2026-24423 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 5, 2026, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including aaddmin1122345, aavamin. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-24423, which exploits an unauthenticated SSRF vulnerability in SmarterMail's ConnectToHub feature. The PoC sets up a malicious Hub server that returns a crafted JSON response, leading to arbitrary command execution via the SystemMount configuration.

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

Exploits (2)

nomisec WORKING POC 7 stars

by aaddmin1122345 · poc

https://github.com/aaddmin1122345/CVE-2026-24423

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-24423, which exploits an unauthenticated SSRF vulnerability in SmarterMail's ConnectToHub feature. The PoC sets up a malicious Hub server that returns a crafted JSON response, leading to arbitrary command execution via the SystemMount configuration.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SmarterMail (version not specified)

No auth needed

Prerequisites: Network access to the target SmarterMail instance · Ability to receive inbound connections from the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 11, 2026 Full analysis →

nomisec WORKING POC 6 stars

by aavamin · poc

https://github.com/aavamin/CVE-2026-24423

View Code ZIP pw:eip

This PoC exploits an unauthenticated SSRF vulnerability in SmarterMail's ConnectToHub feature, leading to arbitrary command execution via malicious Hub responses. The script simulates a Hub server that returns a crafted JSON payload with a `CommandMount` field to execute `whoami`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SmarterMail (version not specified)

No auth needed

Prerequisites: Network access to the target SmarterMail instance · Ability to intercept or redirect Hub traffic

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SmarterMail - Remote Code Execution

CRITICALVERIFIEDby jyoti369

Shodan: html:"SmarterMail"

References (4)

Core 4

Core References

Release Notes release-notes patch

https://www.smartertools.com/smartermail/release-notes/current

Third Party Advisory third-party-advisory

https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423

Scores

CVSS v3 9.8

EPSS 0.8340

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-02-05

VulnCheck KEV 2026-01-28

ENISA EUVD EUVD-2026-4273

Ransomware Use Confirmed

CWE

CWE-306

Status published

Products (1)

smartertools/smartermail < 100.0.9511

Published Jan 23, 2026

KEV Added Feb 05, 2026

Tracked Since Feb 18, 2026