Just two weeks ago government agencies and analysts alike were deeply concerned regarding a vulnerability in the popular Microsoft Exchange alternative, SmarterTools’ SmarterMail business email and collaboration suite.
That was bad enough, with many users of the platform openly reporting malicious behaviour since the Cyber Security Agency of Singapore drew attention to the vulnerability last month.
Now, SmarterMail is under the microscope yet again, as malicious actors appear to have reverse engineered another new patch, one that was only released on January 15.
Once again, users are reporting widespread activity, with hackers seemingly resetting admin passwords with impunity.
Analysts at cyber security firm watchTowr quickly got on the case, looking for a smoking gun and finding an entire arsenal of red flags.
WT-2026-0001 – it doesn’t appear to have a CVE, yet – is an Authentication Bypass vulnerability that allows any user to reset the SmarterMail system administrator password. As we said, it was patched a week ago, but it appears hackers have already decompiled the fix. And not only are they resetting passwords – the password reset process does not appear to have any active security controls, at least for privileged accounts – they’re going much, much further.
“Even though we are technically dealing with the Authentication Bypass vulnerability, it provides a direct path to remote code execution,” watchTowr said in a January 22 blog post.
“SmarterMail exposes built-in functionality that allows a system administrator to execute operating system commands.”
watchTowr was able to eventually deploy a SYSTEM-level shell on the target host as part of a proof-of-concept. In the words of Benjamin Harris, CEO and founder of watchTowr, “This is bad”.
“Just two weeks ago we shared analysis on a SmarterTools vulnerability that was silently patched and left sysadmins vulnerable for nearly three months,” Harris told Cyber Daily.
“Today, we’re seeing active, widespread exploitation of a new bug that received a patch less than a week ago. The fix has already been reverse-engineered, and exploitation leads straight to full RCE.
“Don’t waste time debating likelihood. Assume breach, patch now, and start hunting for compromise.”
You can read the full report, complete with code analysis, here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.