Hackers began exploiting an authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool that allows resetting admin passwords.
An authentication bypass vulnerability in SmarterTools SmarterMail, which allows unauthenticated attackers to reset the system administrator password and obtain full privileges, is now actively exploited in the wild.
The issue resides in the force-reset-password API endpoint, which is intentionally exposed without authentication.
Researchers at cybersecurity company watchTowr reported the issue on January 8, and SmarterMail released a fix on January 15 without an identifier being assigned.
After the issue was addressed, the researchers found evidence that threat actors started to exploit it just two days later. This suggests that hackers reverse-engineered the patch and found a way to leverage the flaw.
SmarterMail is a self-hosted Windows email server and collaboration platform developed by SmarterTools that provides SMTP/IMAP/POP email, webmail, calendars, contacts, and basic groupware features.
It is typically used by managed service providers (MSPs), small and medium-sized businesses, and hosting providers offering email services. SmarterTools claims that its products have 15 million users in 120 countries.
The CVE-less flaw arises from the API endpoint ‘force-reset-password’ accepting attacker-controlled JSON input, including a 'IsSysAdmin' bool type property, which, if set to ‘true,’ forces the backend to execute the system administrator password reset logic.
However, the mechanism does not perform any security controls or verify the old password, despite the 'OldPassword' field being present in the request, watchTowr researchers found.
As a result, anyone who knows or guesses an admin username could set a new password and hijack the account.
... continue reading