Flare researchers monitoring underground Telegram channels and cybercrime forums have observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials related to recently disclosed SmarterMail vulnerabilities, providing insight into how quickly attackers weaponize new security flaws.
The activity occurred within days of the vulnerabilities being disclosed, with threat actors sharing and selling exploit code and compromised access tied to CVE-2026-24423 and CVE-2026-23760, critical flaws that enable remote code execution and authentication bypass on exposed email servers.
These vulnerabilities have since been confirmed in real-world attacks, including ransomware campaigns, highlighting how attackers increasingly target email infrastructure as an initial access point into corporate networks, allowing them to move laterally and establish persistent footholds.
CVE-2026-24423 and CVE-2026-23760: Critical RCE and Auth Bypass Flaws
Multiple recently disclosed SmarterMail vulnerabilities created a perfect storm that made the platform highly attractive to attackers. Among them, CVE-2026-24423 stands out as a critical unauthenticated remote code execution flaw affecting versions prior to Build 9511.
With a CVSS score of 9.3 and no user interaction required, the flaw is particularly suited for automation, large-scale scanning, and mass exploitation campaigns.
In parallel, additional vulnerabilities CVE-2026-23760 (CVSS 9.3) include authentication bypass and password reset logic flaws. It allows attackers to reset administrator credentials or gain privileged access to the platform. Research also shows that attackers were quickly reverse-engineering patches to identify and weaponize these weaknesses within days of release.
When combined, these issues enabled full server takeover scenarios, where attackers could move from application-level access to operating system control and potentially domain-level compromise in connected environments.
From an attacker’s perspective, this combination is ideal: SmarterMail is a network-exposed service, often holds a high trust position inside enterprise environments, and in many cases is monitored less aggressively than endpoint systems protected by EDR.
Once proof-of-concept exploit code becomes available, exploitation can be rapidly operationalized - meaning the timeline from vulnerability disclosure to ransomware deployment can shrink to days.
... continue reading