SmarterTools has fixed multiple serious security flaws in its SmarterMail email software, including a critical issue that could allow attackers to run malicious code on affected systems.
One of the most severe flaws, tracked as CVE-2026-24423, has a high severity score of 9.3 out of 10. This bug could allow an attacker to take control of a SmarterMail server without needing to log in. By pointing the software to a malicious server, attackers could force it to run harmful operating system commands.
Security researchers from watchTowr, CODE WHITE GmbH, and VulnCheck discovered and reported the issue.
SmarterTools fixed this vulnerability in Build 9511, released on January 15, 2026. The same update also patched another critical flaw (CVE-2026-23760, CVSS 9.3) that has already been actively exploited by attackers in real-world attacks.
In addition, the company addressed a medium-severity vulnerability (CVE-2026-25067, CVSS 6.9) that could be used to trick SmarterMail into making unauthorized network connections. This flaw could enable credential theft and NTLM relay attacks on Windows systems.
This issue was fully patched in Build 9518, released on January 22, 2026.
With multiple SmarterMail vulnerabilities recently being exploited, SmarterTools is urging users to update to the latest version immediately reinforcing the importance of staying protected against the very risks highlighted earlier.
