Hackers started exploiting an authentication bypass vulnerability in SmarterTools’ SmarterMail e-mail server and collaboration software that permits resetting admin passwords.
An authentication bypass vulnerability in SmarterTools SmarterMail, which permits unauthenticated attackers to reset the system administrator password and procure full privileges, is now actively exploited within the wild.
The problem resides within the force-reset-password API endpoint, which is deliberately uncovered with out authentication.
Researchers at cybersecurity firm watchTowr reported the problem on January 8, and SmarterMail launched a repair on January 15 with out an identifier being assigned.
After the problem was addressed, the researchers discovered proof that risk actors began to use it simply two days later. This implies that hackers reverse-engineered the patch and located a option to leverage the flaw.
SmarterMail is a self-hosted Home windows e-mail server and collaboration platform developed by SmarterTools that gives SMTP/IMAP/POP e-mail, webmail, calendars, contacts, and fundamental groupware options.
It’s usually utilized by managed service suppliers (MSPs), small and medium-sized companies, and internet hosting suppliers providing e-mail providers. SmarterTools claims that its merchandise have 15 million customers in 120 nations.
The CVE-less flaw arises from the API endpoint ‘force-reset-password’ accepting attacker-controlled JSON enter, together with a ‘IsSysAdmin’ bool sort property, which, if set to ‘true,’ forces the backend to execute the system administrator password reset logic.
Nonetheless, the mechanism doesn’t carry out any security controls or confirm the outdated password, regardless of the ‘OldPassword’ area being current within the request, watchTowr researchers discovered.
Because of this, anybody who is aware of or guesses an admin username might set a brand new password and hijack the account.
The researchers word that the flaw impacts solely admin-level accounts, not common customers.
With admin-level entry, attackers can run OS instructions, thus getting full distant code execution on the host.
watchTowr researchers have created a proof-of-concept exploit that demonstrates SYSTEM-level shell entry.
Supply: watchTowr
The researchers realized that the vulnerability was being exploited within the wild from an nameless person, who acknowledged that anyone was resetting administrator passwords.
To again their claims, the tipster pointed watchTowr researchers to a discussion board put up describing an analogous scenario.
Analyzing the shared logs revealed that these assaults focused the ‘force-reset-password’ endpoint, supporting the conclusion that the problem is presently beneath energetic exploitation.
Supply: watchTowr
Two weeks earlier, watchTowr found a crucial pre-auth RCE flaw in SmarterMail, tracked as CVE-2025-52691, which led to the invention of the newest concern.
Customers of SmarterMail are really useful to improve to the newest model of the software program, Construct 9511, launched on January 15, that addresses each points.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your crew construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
