SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API

Advisories

severity: critical
date: January 23, 2026
Affecting: SmarterMail < 100.0.9511
CVE: CVE-2026-24423
CWE: CWE-306 Missing Authentication for Critical Function
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: SmarterMail Release Notes
CODE WHITE Vulnerability List
Credit: Sina Kheirkhah & Piotr Bazydlo of watchTowr, Markus Wulftange of CODE WHITE GmbH, Cale Black of VulnCheck
Description: SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.