Tag

#smartertools

3 posts tagged #smartertools.

Analysis · May 5, 2026 · The Field Notes Desk

SmarterMail fixed a CVSS 10 and told no one for two months

CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
Analysis · May 5, 2026 · The Field Notes Desk

48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore

SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
Analysis · May 5, 2026 · The Field Notes Desk

SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request

CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.