Breached: SmarterMail authentication bypass vulnerability exploited more than 1,000 times in two weeks

However, despite continued coverage, hackers are still having a field day with the vulnerability, according to cyber security firm watchTowr's Head of Proactive Threat Intelligence, Ryan Dewhurst.

“Mass exploitation of CVE-2026-24423 kicked off on January 28th. Since then, watchTowr has observed over 1,000 exploitation attempts originating from approximately 60 unique attacker IPs and has identified multiple huAddress URLs used for out-of-band callbacks,” Dewhurst told Cyber Daily.

“A consistent marker in these requests is the nodeName field, often set to victim-$unix_epoch. It appears to be a simple yet effective way for attackers to label victims and link callbacks – nothing fancy, but it works.”

What makes the ongoing exploitation particularly interesting is the timing of the exploitation, which suggests threat actors are only working nine-to-five workdays.

“The pattern also reveals itself. Exploitation has remained consistently steady since it was first observed, with one clear exception: weekends. Activity drops sharply and then quickly picks up again at the start of the workweek,” Dewhurst said.

“It appears mostly driven by operators during business hours. Either way, exploitation is ongoing, repeatable, and remains predictable.

VIEW ALL

Whether this suggests nation-state activity or simply criminal actors with an organised workflow remains to be seen. Regardless, at this stage, Dewhurst said network defenders should fear the worst.

“If you’re not already patched, you should probably assume you've been compromised. Even the vendor itself was caught off guard with an out-of-date server getting hit,” Dewhurst said.

“If the people shipping the fix can miss it, nobody gets a free pass.”