"The issue is described as an unauthenticated remote code execution (RCE) flaw via the ConnectToHub API. Because the API processes requests controlled by a remote server, attackers can define arbitrary command execution parameters that are passed to the endpoint, resulting in command execution on all platforms. "The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application," a NIST advisory reads."
"According to VulnCheck, the root cause of the bug is that the ConnectToHub API "explicitly allows anonymous users and processes JSON data sent in POST requests." Attackers can define a mount command with malicious parameters and, upon execution, could escalate privileges on Linux systems, VulnCheck says. On January 15, SmarterMail build 9511 was released with patches for CVE-2026-24423, as well as for the two SmarterMail defects previously flagged as exploited."
SmarterMail email and collaboration servers are under active attack exploiting multiple vulnerabilities. A previously exploited authentication bypass allowed attackers to reset administrator passwords and seize control. CISA added those flaws and a newly tracked vulnerability, CVE-2026-24423, to its Known Exploited Vulnerabilities catalog. CVE-2026-24423 is an unauthenticated remote code execution flaw in the ConnectToHub API that accepts anonymous JSON POST requests. Attackers can point SmarterMail to a malicious HTTP server that returns an OS command; the application will execute that command, enabling arbitrary command execution and possible privilege escalation on Linux. SmarterMail released build 9511 with patches; administrators should update promptly. CISA set a February 26 remediation target and warned of ransomware exploitation.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]