CVE-2026-24423

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions prior to build 9511

Description An issue exists in the 'ConnectToHub' API method, specifically at the endpoint '/api/v1/settings/sysadmin/connect-to-hub', due to missing authentication for a critical function. This allows an unauthenticated remote attacker to point the server to a malicious HTTP server using the hubAddress parameter. The server then fetches attacker-controlled JSON, which triggers the CommandMount function to execute arbitrary OS commands under the SYSTEM context. This flaw has been actively exploited in ransomware campaigns, including attacks by the Warlock ransomware group, which compromised SmarterTools' own internal infrastructure. Over 6,000 exposed instances have been identified globally, with more than 1,000 exploitation attempts observed within a two-week period.

Recommendations Update SmarterMail to build 9511 or later. As a temporary workaround, restrict access to the '/api/v1/settings/sysadmin/connect-to-hub' API endpoint. Monitor SmarterMail logs for suspicious outbound connections to unknown HTTP endpoints and unexpected POST requests to the 'ConnectToHub' endpoint.