A report by Shadowserver found more than 6,000 SmarterMail servers exposed online and likely vulnerable to a critical authentication bypass, with over 4,200 in North America and nearly 1,000 in Asia.
KEY FACTS
- Incident Over 6,000 Internet‑exposed SmarterMail instances flagged as likely vulnerable
- Vulnerability Tracked as CVE-2026-23760 and rated critical
- Patch Vendor release notes show a fix in build 9511 on January 15
- Action CISA lists the CVE in its known exploited catalog with a February 16 deadline for agencies
The flaw was reported to the vendor on January 8 and a vendor fix appeared in build 9511 on January 15.
The NIST advisory assigns CVE-2026-23760 and rates it critical. The advisory describes a password reset endpoint that accepts anonymous requests and does not verify the existing password or a reset token, allowing an attacker to set a new password for administrator accounts and gain remote code execution on the host.
A proof-of-concept exploit requires only prior knowledge of an administrator username, enabling automated attacks that target exposed servers. The report tracks the likely vulnerable instances and an independent scan returned over 8,550 still vulnerable SmarterMail instances.
CVE-2026-23760 appears in the CISA known exploited vulnerabilities catalog with a U.S. government remediation deadline of February 16. Administrators are advised to apply the vendor fix or follow vendor guidance, or discontinue use if mitigations are unavailable.
WHY IT MATTERS
The flaw permits unauthenticated takeover of administrator accounts and remote code execution, creating a path for full server compromise. Applying the vendor update or removing exposed instances reduces the risk of mass automated exploitation.