An authentication bypass in SmarterMail that can reset a system administrator password and enable system-level command execution is being actively exploited in the wild two days after a vendor patch on January 15 2026, a technical analysis by watchTowr Labs reported.
KEY FACTS
- Incident Authentication bypass exploited after a recent patch
- Affected SmarterMail email server
- Patch Build 9511 released January 15 2026
- Impact Admin password reset and possible SYSTEM-level remote code execution
- Evidence Logs show force-reset-password used January 17 2026
The flaw targets the /api/v1/auth/force-reset-password endpoint and the SmarterMail.Web.Api.AuthenticationController.ForceResetPassword function. The endpoint can be reached without authentication and accepts a boolean field named IsSysAdmin that controls privileged handling.
When the IsSysAdmin flag is set to true the logic obtains configuration for the supplied username, creates a system administrator item with the new password, and updates the administrator account. An attacker who knows an administrator username can therefore set a password of their choice.
The authentication bypass provides a direct path to remote code execution through a built-in administrative feature that executes operating system commands. An administrator-created volume mount can include a Volume Mount Command that the host executes with SYSTEM privileges.
Logs posted to a community portal indicate the force-reset-password endpoint was used to change an administrator password on January 17 2026. The timing suggests attackers may have reverse engineered the patch to reconstruct the flaw. It is not clear how widely exploitation has spread or whether administrators received prior notification.
WHY IT MATTERS
The combination of an unauthenticated admin password reset and a built-in command execution feature can enable full server compromise. Administrators should apply vendor patches and monitor logs for use of the force-reset-password endpoint.