CVE-2026-24423 PUBLISHED

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

• Sina Kheirkhah & Piotr Bazydlo of watchTowr finder
• Markus Wulftange of CODE WHITE GmbH finder
• Cale Black of VulnCheck finder

• https://www.smartertools.com/smartermail/release-notes/current
• https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
• https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api

• CWE-306 Missing Authentication for Critical Function CWE