Over 6,000 SmarterMail servers exposed to automated hijacking attacks

News

Featured
Latest

New ClickFix attacks abuse Windows App-V scripts to push malware

Microsoft patches actively exploited Office zero-day vulnerability

Nearly 800,000 Telnet servers exposed to remote attacks

Cloudflare misconfiguration behind recent BGP route leak

OpenAI's ChatGPT ad costs are on par with live NFL broadcasts

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

WinRAR path traversal flaw still exploited by numerous hackers

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityOver 6,000 SmarterMail servers exposed to automated hijacking attacks

Over 6,000 SmarterMail servers exposed to automated hijacking attacks

By Sergiu Gatlan

January 27, 2026
09:09 AM
0

Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability.
Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8, which released a fix on January 15 without assigning an identifier.
The vulnerability was later assigned CVE-2026-23760 and rated critical severity, as it allows unauthenticated attackers to hijack admin accounts and gain remote code execution on the host, enabling them to take control of vulnerable servers.

"SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API," according to an advisory added to the NIST national vulnerability database on Thursday.
"The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance."
watchTowr discovered this auth bypass flaw two weeks after finding another critical pre-auth vulnerability in SmarterMail (CVE-2025-52691) that can allow attackers to gain remote code execution on unpatched servers.
On Monday, Shadowserver revealed that it's tracking over 6,000 SmarterMail servers (more than 4,200 across North America and nearly 1,000 in Asia) flagged as "likely vulnerable" to ongoing CVE-2026-23760 attacks.

Internet-exposed SmarterMail servers (Shadowserver)
​​Macnica threat researcher Yutaka Sejiyama has also told BleepingComputer that his scans returned over 8,550 SmarterMail instances still vulnerable to CVE-2026-23760 attacks.
watchTowr, who shared a proof-of-concept exploit that only requires prior knowledge of the administrator account's username, noted that it was tipped off about the flaw being exploited in the wild on January 21. Cybersecurity firm Huntress confirmed their report the next day, noting malicious attacks suggesting mass, automated exploitation.
On Monday, CISA added CVE-2026-23760 to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers within three weeks, by February 16.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Yesterday, Shadowserver also reported finding almost 800,000 IP addresses with Telnet fingerprints amid ongoing attacks targeting a critical authentication bypass security flaw in the GNU Inetutils telnetd server.

7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Download Now

Related Articles:
Nearly 800,000 Telnet servers exposed to remote attacksSmarterMail auth bypass flaw now exploited to hijack admin accountsHackers exploit critical telnetd auth bypass flaw to get rootFortinet confirms critical FortiCloud auth bypass not fully patchedHackers exploit Modular DS WordPress plugin flaw for admin access

Actively Exploited
Authentication Bypass
Hijack
Server
Shadowserver
SmarterMail

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Microsoft patches actively exploited Office zero-day vulnerability

Microsoft investigates Windows 11 boot failures after January updates

Microsoft releases emergency OOB update to fix Outlook freezes

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Get a free shadow AI inventory today

Overdue a password health-check? Audit your Active Directory for free

Is your data already on a leak site? Monitor your exposure threats for free.

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Over 6,000 SmarterMail servers were discovered to be exposed online and vulnerable to automated hijacking attacks, according to a report by Shadowserver. The vulnerability centers around an authentication bypass flaw within SmarterMail versions prior to build 9511, specifically in the password reset API endpoint. This allows unauthenticated attackers to supply a target administrator username and a new password, resulting in full administrative compromise of the SmarterMail instance. The discovery follows a prior report by watchTowr identifying a related critical pre-auth vulnerability (CVE-2025-52691), and subsequent confirmation of exploitation by cybersecurity firms such as Huntress and CISA.

The vulnerability, designated CVE-2026-23760, was initially reported by watchTowr on January 8th, and a fix was released by SmarterTools on January 15th without an identifier. However, the flaw quickly became active, with Shadowserver tracking over 6,000 vulnerable SmarterMail servers globally – approximately 4,200 across North America and nearly 1,000 in Asia. A proof-of-concept exploit, requiring only prior knowledge of the administrator’s username, was shared by watchTowr, confirming ongoing, automated exploitation. The situation escalated with CISA adding the vulnerability to its list of actively exploited vulnerabilities on Monday, February 16th, issuing a directive to U.S. government agencies to secure their servers within three weeks. This aligns with previously identified issues, including a near 800,000 IP address cluster associated with Telnet exploitation.

The vulnerability’s impact is significant, representing a frequent attack vector for malicious cyber actors and posing substantial risks to the federal enterprise. Mitigation strategies include applying vendor-supplied patches, implementing guidance from the Business Objectives Directive (BOD) 22-01 for cloud services, or discontinuing use of the product if appropriate mitigations are unavailable. The rapid spread of this vulnerability underscores the importance of proactive vulnerability management and timely patching procedures.

The initial discovery was compounded by the ongoing exploitation of a similar authentication bypass flaw in the GNU Inetutils telnetd server, resulting in the identification of a massive IP address cluster indicative of continued attacks. This confirms a pattern of attackers leveraging known vulnerabilities to gain unauthorized access to critical systems. The series of related exploits highlights the need for constant vigilance and robust security protocols, particularly within organizations reliant on legacy systems or those lacking adequate patching infrastructure.