A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.
The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026.
It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint.
"The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands," watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said.
The problem is rooted in the function "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword," which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named "IsSysAdmin" to handle the incoming request depending on whether the user is a system administrator or not.
In case the flag is set to "true" (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions -
- Obtain the configuration corresponding to the username passed as input in the HTTP request
- Create a new system administrator item with the new password
- Update the administrator account with the new password
In other words, the privileged path is configured such that it can trivially update an administrator user's password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.
It doesn't end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell.
This can be accomplished by navigating to the Settings page, creating a new volume, and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host's operating system.
The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same "force-reset-password" endpoint to change the password on January 17, 2026, two days after the release of the patch.
This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw. To make matters worse, it doesn't help that SmarterMail's release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions "IMPORTANT: Critical security fixes."
In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue.
"In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references," Uzzanti said in response to transparency concerns raised by its customers. "We appreciate the feedback that encouraged this change in policy moving forward."
It's currently not clear whether such an email was sent to SmarterMail administrators this time around. The Hacker News has reached out to SmarterTools for comment, and we will update the story if we hear back.
The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
