SmartMail on alert after two critical vulnerabilities that allow remote code execution and NTLM attacks

SmartTools has published urgent patches for its SmartMail mail server after at least two critical vulnerabilities affecting pre-corrected versions are confirmed. One allows remote execution of code without authentication, a failure that in practical terms leaves the server exposed to malicious instructions sent from the Internet; the other facilitates attacks related to NTLM authentication using calls to network resources.

The first failure, identified as CVE-2026-24423 and with a CVSS score of 9.3, it affects the ConnectToHub method of the software. According to the public record, an attacker can induce the service to connect to an HTTP server controlled by the attacker who delivers an operating system command; if the vulnerable server runs it, the attacker can run arbitrary code on the affected machine. The official description is available at CVE.org.

Researchers from different organizations identified and reported vulnerability: Sina Kheirkhah and Piotr Bazydlo from watchTowr, Markus Wulftange from CODE WHITE GmbH and Cale Black from VulnCheck. Their findings are referred to in the public research notes and third-party security notices, such as the list of disclosures of CODE WHITE and the technical notice of VulnCheck.

SmartTools launched the correction for this vulnerability in the Build 9511, published on 15 January 2026. It is important to stress that the operation of an unauthenticated CERs is particularly dangerous on mail servers, because such software often handles sensitive data and may be directly linked to internal infrastructures that, if compromised, allow lateral movement within the network.

In addition, the company corrected another monitored critical vulnerability such as CVE-2026-23760(also with CVSS 9.3) which has already been observed in actual attacks. Apart from these two, a mid-gravity failure was closed, CVE-2026-25067(CVSS 6.9), which is not an CERs but does allow for the coercion of credentials by resolving malicious network routes from a non-authenticated point of view.

In the case of CVE-2026-25067 the problem revolves around the preview of the "image of the day" (background -of-the-day). The application decodes in base64 an entry that comes from outside and treats it as a system route without adequate validation. In Windows environments this makes it possible to resolve UNC routes to attacker-controlled equipment, resulting in outgoing SMB authentication attempts. This behavior can be exploited to force NTLM authentication attempts, facilitating techniques such as NTLM relay or the coercion of credentials; VulnCheck documented this mechanics in its technical alert: VulnCheck - advisory.

To view the official notes of SmartTools and confirm the affected and corrected versions, the company keeps a record of versions and patches where the released buildings are detailed: SmartTools - Release Notes. There it is specified that the Build 9518, published on January 22, 2026, incorporates additional corrections related to the coercion of routes and other security adjustments.

What can and should managers do right now? The essential thing is to apply the updates provided by SmartTools as a matter of priority: to update the built-in patches reduces the exposure window. In addition, compensatory measures should be applied while the patches are deployed: restrict outgoing traffic in SMB-associated ports (for example, block egress to 139 / 445 ports), review firewall rules to minimize outgoing HTTP connections from mail servers and audit records for unusual connections or repeated attempts to access remote resources.

It is also recommended to analyze telemetry and server records to detect signs of prior commitment: processes that launch system commands unexpectedly, outgoing connections to unknown servers, or SMB authentication patterns to machines outside the organization's control. If there is a suspicion of intrusion, the machines involved should be isolated and incident response procedures followed to identify scope and mitigate side movements.

The emergence of two critical vulnerabilities in a short period and the confirmation of active exploitation for at least one of them remember that mail software remains an attractive vector for attackers. Update, monitor and limit unnecessary communication routes are simple but effective measures to reduce risks until all facilities are corrected.

If you want to consult the technical documentation and the original notices, here are the links cited: the main CVE record in CVE.org, the notice of investigation in VulnCheck, the list of disclosures of CODE WHITE in CODE WHITE, and the official versions notes of SmartTools in SmartTools.