SmarterMail admins are facing active exploitation of CVE-2026-23760, a privileged account takeover flaw that can lead to remote code execution (RCE). Attackers abuse the bug to reset a privileged user’s password, authenticate, and then weaponize System Events to run commands on the server.
The issue affects SmarterMail builds prior to 9511. SmarterTools released Build 9511 on January 15, 2026, and defenders should patch immediately. Additionally, defenders should not confuse this with the ongoing mass exploitation of CVE-2025-52691, a separate unauthenticated file upload flaw that also enables RCE.
How the attack works
Threat activity shows a fast, automated sequence of HTTP POST requests that chain account takeover into execution.
Attackers first hit the password reset endpoint to take over a privileged account. Next, they log in to obtain a valid access token. Then, they create a malicious System Event using the sysadmin API. Finally, they add a domain to trigger the event and run reconnaissance commands. Cleanup follows right after to remove evidence.
Observed request flow (in order):
POST /api/v1/auth/force-reset-passwordPOST /api/v1/auth/authenticate-userPOST /api/v1/settings/sysadmin/event-hookPOST /api/v1/settings/sysadmin/domain-putPOST /api/v1/settings/sysadmin/domain-delete/google.abc[.]com/truePOST /api/v1/settings/sysadmin/event-hook-delete
Root cause and patch notes
The vulnerable logic did not properly validate the “old password” submitted to the force-reset endpoint. Newer builds fixed that validation.
Source: huntress.com – Comparison of SmarterMail binary versions 9504 and 9511
Indicators of Compromise
Use the following IoCs to pivot in logs, firewall telemetry, and EDR.
| Type | Indicator |
|---|---|
| CVE | CVE-2026-23760 |
| Related CVE | CVE-2025-52691 |
| Source IPs | 142.111.152[.]57, 142.111.152[.]229, 155.2.215[.]66, 142.111.152[.]54, 142.111.152[.]53, 142.111.152[.]222, 142.111.152[.]159, 142.111.152[.]165, 155.2.215[.]70, 142.111.152[.]49, 155.2.215[.]74, 142.111.152[.]160, 155.2.215[.]73, 142.111.152[.]51, 155.2.215[.]60, 142.111.152[.]151, 142.111.152[.]46, 155.2.215[.]68, 142.111.152[.]155, 142.111.152[.]45, 155.2.215[.]72, 155.2.215[.]67, 142.111.152[.]47, 142.111.152[.]59, 142.111.152[.]56, 142.111.152[.]154, 142.111.152[.]150, 155.2.215[.]62 |
| User-Agent | python-requests/2.32.4 |
| Recon output file | C:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot\result.txt |
| Targeted endpoints | /api/v1/auth/force-reset-password, /api/v1/auth/authenticate-user, /api/v1/settings/sysadmin/event-hook, /api/v1/settings/sysadmin/domain-put, /api/v1/settings/sysadmin/domain-delete/google.abc.com/true, /api/v1/settings/sysadmin/event-hook-delete |
What defenders should do now
First, upgrade SmarterMail to Build 9511 or later. Next, review web logs for the endpoint sequence above. Also hunt for result.txt in the SmarterMail wwwroot path. Finally, block or alert on suspicious automation traffic, especially python-requests/2.32.4, when it hits admin APIs.
No Comment! Be the first one.