Vulnerability-Lookup

WID-SEC-W-2026-0133

Vulnerability from csaf_certbund - Published: 2026-01-15 23:00 - Updated: 2026-01-22 23:00

Summary

SmarterTools SmarterMail: Mehrere Schwachstellen

Severity

Kritisch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: SmarterMail von SmarterTools ist eine Mailserver-Software.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SmarterTools SmarterMail ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen und um sich Administratorrechte zu verschaffen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-23760

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://www.smartertools.com/smartermail/release-…	external
	https://labs.watchtowr.com/attackers-with-decompi…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "SmarterMail von SmarterTools ist eine Mailserver-Software.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SmarterTools SmarterMail ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren und um sich Administratorrechte zu verschaffen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0133 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0133.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0133 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0133"
      },
      {
        "category": "external",
        "summary": "SmarterMail Release Notes vom 2026-01-15",
        "url": "https://www.smartertools.com/smartermail/release-notes/current"
      },
      {
        "category": "external",
        "summary": "WatchTower Labs Report vom 2026-01-21",
        "url": "https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/"
      }
    ],
    "source_lang": "en-US",
    "title": "SmarterTools SmarterMail: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-01-22T23:00:00.000+00:00",
      "generator": {
        "date": "2026-01-23T07:41:09.501+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0133",
      "initial_release_date": "2026-01-15T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-01-15T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-21T23:00:00.000+00:00",
          "number": "2",
          "summary": "WatchTower berichtet Details und aktive Ausnutzung"
        },
        {
          "date": "2026-01-22T23:00:00.000+00:00",
          "number": "3",
          "summary": "CVE erg\u00e4nzt"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cBuild 9511",
                "product": {
                  "name": "SmarterTools SmarterMail \u003cBuild 9511",
                  "product_id": "T050055"
                }
              },
              {
                "category": "product_version",
                "name": "Build 9511",
                "product": {
                  "name": "SmarterTools SmarterMail Build 9511",
                  "product_id": "T050055-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:smartertools:smartermail:build_9511"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SmarterMail"
          }
        ],
        "category": "vendor",
        "name": "SmarterTools"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23760",
      "product_status": {
        "known_affected": [
          "T050055"
        ]
      },
      "release_date": "2026-01-15T23:00:00.000+00:00",
      "title": "CVE-2026-23760"
    }
  ]
}

CVE-2026-23760 (GCVE-0-2026-23760)

Vulnerability from cvelistv5 – Published: 2026-01-22 14:35 – Updated: 2026-03-05 01:30 X_Known Exploited Vulnerability

Title

SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API

Summary

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

VulnCheck

References

URL

Tags

	https://www.smartertools.com/smartermail/release-…	release-notespatch
	https://labs.watchtowr.com/attackers-with-decompi…	technical-descriptionexploit
	https://code-white.com/public-vulnerability-list/…	third-party-advisory
	https://www.vulncheck.com/advisories/smartertools…	third-party-advisory

Impacted products

	Vendor	Product	Version
	SmarterTools	SmarterMail	Affected: 0 , < 100.0.9511 (custom)

Credits

Piotr Bazydlo & Sina Kheirkhah of watchTowr Markus Wulftange of CODE WHITE GmbH

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23760",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T04:55:31.462513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-01-26",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:32.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SmarterMail",
          "vendor": "SmarterTools",
          "versions": [
            {
              "lessThan": "100.0.9511",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "100.0.9511",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Piotr Bazydlo \u0026 Sina Kheirkhah of watchTowr"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Markus Wulftange of CODE WHITE GmbH"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE:\u0026nbsp;SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host."
            }
          ],
          "value": "SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE:\u00a0SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T01:30:23.457Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "release-notes",
            "patch"
          ],
          "url": "https://www.smartertools.com/smartermail/release-notes/current"
        },
        {
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability"
      ],
      "title": "SmarterTools SmarterMail \u003c Build 9511 Authentication Bypass via Password Reset API",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-23760",
    "datePublished": "2026-01-22T14:35:17.235Z",
    "dateReserved": "2026-01-15T18:42:20.938Z",
    "dateUpdated": "2026-03-05T01:30:23.457Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0133

CVE-2026-23760 (GCVE-0-2026-23760)

Tags

Sightings

Nomenclature