SmarterTools SmarterMail email server software contained a critical unauthenticated remote code execution vulnerability identified as CVE-2026-24423 with a CVSS score of 9.3. The flaw resides in the ConnectToHub API method, which accepts input that allows an attacker to redirect the application to a malicious HTTP server hosting OS commands. When processed, these commands execute with the privileges of the SmarterMail service, enabling full system compromise without any authentication or user interaction. The vulnerability affects all versions prior to build 9511, released on January 15, 2026. Alongside this, another critical RCE vulnerability (CVE-2026-23760) with active exploitation was patched in the same build. Furthermore, a medium-severity vulnerability (CVE-2026-25067) involving unauthenticated path coercion was fixed in build 9518, which could be abused for NTLM relay attacks and unauthorized network authentication by coercing the application to initiate SMB authentication to attacker-controlled hosts. The vulnerabilities were discovered by multiple security researchers and responsibly disclosed. Given the critical nature of these flaws, especially the unauthenticated RCE, attackers could gain complete control over affected servers, potentially leading to data breaches, lateral movement, and persistent access. The lack of authentication and user interaction requirements significantly lowers the barrier for exploitation. SmarterMail is widely used in enterprise and service provider environments, making this a high-impact threat.

For European organizations, the impact of these vulnerabilities is severe. SmarterMail servers compromised via the unauthenticated RCE could allow attackers to execute arbitrary commands, leading to full system takeover, data exfiltration, disruption of email services, and potential pivoting to internal networks. The NTLM relay vulnerability could facilitate credential theft and unauthorized access to other network resources, increasing the risk of lateral movement and broader compromise. Given the critical role of email servers in business communications, exploitation could disrupt operations, damage reputations, and cause regulatory compliance issues under GDPR due to potential data breaches. Organizations in sectors such as finance, government, healthcare, and telecommunications, which rely heavily on secure email infrastructure, are particularly at risk. The ease of exploitation without authentication or user interaction means that attackers can remotely compromise vulnerable servers at scale, increasing the likelihood of widespread attacks across Europe.

European organizations using SmarterMail must immediately upgrade to at least build 9511 to remediate the critical RCE vulnerabilities and to build 9518 for the NTLM relay issue. Network defenders should implement strict network segmentation and firewall rules to limit SmarterMail server exposure to untrusted networks, especially restricting outbound SMB traffic to prevent NTLM relay abuse. Monitoring and alerting on unusual outbound connections from SmarterMail servers can help detect exploitation attempts. Employing application-layer firewalls or intrusion prevention systems with signatures for these vulnerabilities can provide additional protection during patch rollout. Organizations should audit their SmarterMail deployments to identify all affected instances and verify patch status. Regularly reviewing logs for suspicious activity related to ConnectToHub API calls or unexpected command execution is critical. Finally, enforcing the principle of least privilege on SmarterMail service accounts can reduce the impact of successful exploitation.