CVE-2026-24423

UNKNOWN 0.0

⚠️ CISA KEV

SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CWE	CWE-306
Vendor	smartertools
Product	smartermail
Published	Jan 23, 2026
Last Updated	Mar 5, 2026

⚠️ Actively Exploited — Act Now

Get instant alerts for smartertools smartermail

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2026-24423.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

SmarterTools / SmarterMail

0 < 100.0.9511

References

NVD ↗ CVE.org ↗ EPSS Data ↗

smartertools.com: https://www.smartertools.com/smartermail/release-notes/current code-white.com: https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail vulncheck.com: https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423

Credits

Sina Kheirkhah & Piotr Bazydlo of watchTowr Markus Wulftange of CODE WHITE GmbH Cale Black of VulnCheck