Key Findings

• Researchers at watchTowr Labs have discovered a critical vulnerability in SmarterMail, tracked as WT-2026-0001, that allows unauthenticated attackers to hijack administrative accounts and achieve full Remote Code Execution (RCE).

• The vulnerability lies within the force-reset-password API endpoint, which fails to implement proper security checks for system administrators.

• Attackers can simply send a JSON request with IsSysAdmin set to true, the target username, and a new password to take over the administrator's account without validating the old password.

• Threat actors are actively exploiting this flaw to seize control of email servers, with evidence of successful attacks just two days after the vendor released a patch.

• The report highlights that SmarterMail includes a feature for "Volume Mounts" that allows administrators to execute arbitrary operating system commands, effectively serving as a built-in backdoor for those with admin rights.

Background

The discovery of this critical vulnerability comes just weeks after a previous Remote Code Execution (RCE) incident in the SmarterMail ecosystem. According to the researchers, the situation has "a timeline that is typically reserved for KEV hall-of-famers".

Authentication Bypass Vulnerability

The vulnerability lies within the force-reset-password API endpoint of the SmarterMail web interface. This endpoint, intended for legitimate password recovery, fails to implement basic security checks for system administrators.

The endpoint is marked to allow anonymous access, which is standard for reset flows. However, the critical failure occurs in the logic handling admin requests. There are no security controls in place, no authentication, no authorization, and no verification of the old password.

Attackers can simply send a JSON request with IsSysAdmin set to true, the target username, and a new password. The system will then overwrite the administrator's credentials without validating the old password, a step that ironically is enforced for regular users.

The researchers confirm that this is a complete authentication bypass for the system administrator account, allowing attackers to "Enjoy your admin access!"

Active Exploitation

The report highlights that threat actors are actively exploiting this flaw to seize control of email servers. watchTowr received a tip from an anonymous reader whose logs showed suspicious activity just days after the vendor released a patch.

The provided logs reveal an efficient attack pattern: the attacker logs in successfully as an admin, creates a malicious event, and then creates a new domain - all within a matter of minutes. The key log entry that confirms the exploitation of the WT-2026-0001 vulnerability is the "User @ successfully force-reset-password" entry.

Remote Code Execution

Accessing the admin panel is only the first step. SmarterMail includes a feature for "Volume Mounts" that allows administrators to map storage drives. This feature effectively serves as a built-in backdoor for those with admin rights, as it enables the execution of arbitrary operating system commands.

By creating a new volume and supplying an arbitrary command (such as cmd.exe /c calc) in the Volume Mount Command field, attackers can trigger immediate execution by the underlying OS. The researchers' proof of concept demonstrates that this results in a SYSTEM-level shell on the target host.

Vendor Response

SmarterTools released Build 9511 on January 15, 2026, to address this vulnerability. The patch adds a validation step that checks the user's old password before allowing a reset.

Sources

• https://securityonline.info/enjoy-your-admin-access-critical-smartermail-rce-exploited-in-the-wild/

• https://securityonline.info/under-attack-critical-cisco-rce-cve-2026-20045-exploited-in-the-wild/

• https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html