"The problem is rooted in the function "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword," which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named "IsSysAdmin" to handle the incoming request depending on whether the user is a system administrator or not. In case the flag is set to "true" (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions -"
""The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands," watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said. In other words, the privileged path is configured such that it can trivially update an administrator user's password by sending an HTTP request with the username of an administrator account and a password of their choice."
A SmarterMail authentication bypass tracked as WT-2026-0001 was patched in Build 9511 on January 15, 2026 after responsible disclosure on January 8. The flaw permits unauthenticated HTTP requests to the /api/v1/auth/force-reset-password endpoint to include an IsSysAdmin boolean flag. When that flag is true, the controller retrieves the username configuration, creates a new system administrator item with the supplied password, and updates the administrator account password. The flaw allows trivial administrator password resets and may enable execution of operating system commands via RCE-as-a-feature functionality. Exploitation was observed two days after the patch release.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]