← Retour aux CVEs
CVE-2026-24423
CRITICALCISA KEV9.8
Description
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie1/23/2026
Derniere modification2/6/2026
Sourcekev
Observations honeypot0
CISA KEV
FournisseurSmarterTools
ProduitSmarterMail
Nom vulnerabiliteSmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
Date ajout KEV2026-02-05
Date limite remediation2026-02-26
Utilise dans ransomwareKnown
Produits affectes
smartertools:smartermail
Faiblesses (CWE)
CWE-306
References
https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail(disclosure@vulncheck.com)
https://www.smartertools.com/smartermail/release-notes/current(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api(disclosure@vulncheck.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.