CVE

CVE-2019-7214

2field notes · 0digests

Field notes

Analysis · May 5, 2026 · The Field Notes Desk
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
Analysis · May 5, 2026 · The Field Notes Desk
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.