SmarterMail auth bypass flaw now exploited to hijack admin accounts

News

Featured
Latest

Zendesk ticket systems hijacked in massive global spam wave

Hackers breach Fortinet FortiGate devices, steal firewall configs

Fake Lastpass emails pose as password vault backup alerts

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Okta SSO accounts targeted in vishing-based data theft attacks

This $35 Swifdoo PDF editor license lasts for life

Curl ending bug bounty program after flood of AI slop reports

SmarterMail auth bypass flaw now exploited to hijack admin accounts

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecuritySmarterMail auth bypass flaw now exploited to hijack admin accounts

SmarterMail auth bypass flaw now exploited to hijack admin accounts

By Bill Toulas

January 22, 2026
01:44 PM
0

Hackers began exploiting an authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool that allows resetting admin passwords.
An authentication bypass vulnerability in SmarterTools SmarterMail, which allows unauthenticated attackers to reset the system administrator password and obtain full privileges, is now actively exploited in the wild.
The issue resides in the force-reset-password API endpoint, which is intentionally exposed without authentication.

Researchers at cybersecurity company watchTowr reported the issue on January 8, and SmarterMail released a fix on January 15 without an identifier being assigned.
After the issue was addressed, the researchers found evidence that threat actors started to exploit it just two days later. This suggests that hackers reverse-engineered the patch and found a way to leverage the flaw.
SmarterMail is a self-hosted Windows email server and collaboration platform developed by SmarterTools that provides SMTP/IMAP/POP email, webmail, calendars, contacts, and basic groupware features.
It is typically used by managed service providers (MSPs), small and medium-sized businesses, and hosting providers offering email services. SmarterTools claims that its products have 15 million users in 120 countries.
The CVE-less flaw arises from the API endpoint ‘force-reset-password’ accepting attacker-controlled JSON input, including a 'IsSysAdmin' bool type property, which, if set to ‘true,’ forces the backend to execute the system administrator password reset logic.
However, the mechanism does not perform any security controls or verify the old password, despite the 'OldPassword' field being present in the request, watchTowr researchers found.
As a result, anyone who knows or guesses an admin username could set a new password and hijack the account.
The researchers note that the flaw affects only admin-level accounts, not regular users.
With admin-level access, attackers can run OS commands, thus getting full remote code execution on the host.
watchTowr researchers have created a proof-of-concept exploit that demonstrates SYSTEM-level shell access.

Executing the exploitSource: watchTowr
The researchers learned that the vulnerability was being exploited in the wild from an anonymous user, who stated that somebody was resetting administrator passwords.
To back their claims, the tipster pointed watchTowr researchers to a forum post describing a similar situation.
Examining the shared logs revealed that these attacks targeted the ‘force-reset-password’ endpoint, supporting the conclusion that the issue is currently under active exploitation.

Logs indicating active exploitationSource: watchTowr
Two weeks earlier, watchTowr discovered a critical pre-auth RCE flaw in SmarterMail, tracked as CVE-2025-52691, which led to the discovery of the latest issue.
Users of SmarterMail are recommended to upgrade to the latest version of the software, Build 9511, released on January 15, that addresses both issues.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Hackers exploit Modular DS WordPress plugin flaw for admin accessHackers exploit authentication bypass in Palo Alto Networks PAN-OSHackers exploit newly patched Fortinet auth bypass flawsCisco fixes Unified Communications RCE zero day exploited in attacksTrend Micro fixes actively exploited remote code execution bug

Actively Exploited
Administrator
Authentication Bypass
Email
SmarterMail
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

This BleepingComputer article details a critical security vulnerability impacting SmarterMail, a self-hosted email server and collaboration platform. The flaw, identified and subsequently exploited by threat actors, centers around an authentication bypass within the ‘force-reset-password’ API endpoint. This endpoint, intentionally exposed without authentication checks, permits unauthenticated attackers to reset administrator passwords and gain full administrative privileges.

The vulnerability’s existence was initially reported by cybersecurity firm watchTowr on January 8, 2026. Crucially, watchTowr observed active exploitation of the flaw just two days later, indicating rapid reverse-engineering and utilization by malicious actors. The core issue stems from the API endpoint accepting attacker-controlled JSON input, particularly the ‘IsSysAdmin’ boolean property. When set to ‘true’, this property forces the backend to execute the system administrator password reset logic without any security controls or verification of the old password. As a result, any user possessing a basic understanding of the system could reset an administrator’s password.

The impact of successful exploitation is substantial, granting attackers SYSTEM-level shell access and, therefore, the ability to execute arbitrary commands on the host system. watchTowr provided a proof-of-concept exploit to demonstrate the vulnerability’s functionality. Evidence of active exploitation was gleaned from a public forum post, which corroborated watchTowr’s findings and highlighted a specific incident of password resets.

Prior to this discovery, watchTowr had previously identified a critical pre-authentication remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, within SmarterMail. This underscores a pattern of vulnerability exposure within the platform.

SmarterTools released a patch, Build 9511, on January 15, 2026, addressing both the authentication bypass and the RCE vulnerability. Users are strongly advised to upgrade to this latest version.

The article highlights the broader security landscape, referencing related incidents such as hacks targeting Fortinet firewalls and Palo Alto Networks PAN-OSH. It also reinforces the importance of proactive security measures in managing vulnerable systems. The piece ultimately serves as a timely warning to SmarterMail users, urging immediate action to mitigate the risk of compromise.