Hacked: New SmarterTools SmarterMail vulnerability exploited in the wild

CVE-2026-24423 is an unauthenticated remote code execution vulnerability in SmarterMail’s ConnectToHub API method.

“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command,” its CVE listing said.

“This command will be executed by the vulnerable application.”

This vulnerability has a CVSS score of 9.3, making it a critical-severity issue, and one that impacts every version of the platform before version 100.0.9511. SmarterTools has been dealing with a string of vulnerabilities in its email platform since mid last month.

CISA also added a second vulnerability to its naughty list at the same time. CVE-2025-11953 was initially disclosed in November 2025 and impacts the React Native Community CLI.

“The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection,” the CVE entry said.

VIEW ALL

“This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”

The vulnerability was originally disclosed by the JFrog Security Research team, which provided a little more detail on the flaw in a November blog post.

“Unlike typical vulnerabilities in development servers that are only exploitable from a developer’s local machine, a second security issue that the team spotted in React Native’s core codebase, exposes the development server to external network attacks – making the former vulnerability a highly critical issue,” JFrog said at the time.

The @react-native-community/cli NPM package is downloaded about 2 million times every week, and given CVE-2025-11953’s CVSS score of 9.3, this makes for a very worrying situation.

The vulnerability impacts versions from 4.8.0 to 20.0.0.