CVE-2026-24423
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-06

Assigner: VulnCheck

Description
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24423
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
smartertools smartermail to 100.0.9511 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24423 is a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail versions prior to build 9511. It exists in the ConnectToHub API method, which lacks proper authentication. An attacker can exploit this by directing the vulnerable SmarterMail instance to a malicious HTTP server that serves a crafted operating system command. This command is executed by the application without any authentication or user interaction, allowing the attacker to run arbitrary code remotely. [1]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary operating system commands remotely on the affected SmarterMail server without any authentication. This can lead to full compromise of the system, including unauthorized access, data theft, data manipulation, service disruption, and potentially complete control over the affected server. [1]

Detection Guidance

Detection can involve monitoring network traffic for attempts to access the ConnectToHub API method without authentication or unusual HTTP requests pointing to external servers serving commands. Specific commands are not provided in the resources, but generally, you can use network monitoring tools like Wireshark or tcpdump to capture HTTP requests to the SmarterMail server, and grep logs for ConnectToHub API access attempts. Additionally, scanning for SmarterMail versions prior to build 9511 can help identify vulnerable instances. [1]

Mitigation Strategies

The immediate mitigation step is to update SmarterMail to build 9511 or later, as this version contains the fix for the unauthenticated remote code execution vulnerability in the ConnectToHub API method. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart