Will the admins be able to patch the hole before everyone is hacked? A chronicle of the SmarterTools crisis.
A vulnerability in the SmarterMail email software, patched by an update on January 15 , began to be actively exploited by cybercriminals just two days after the patch was released. This was reported by specialists from the watchTowr Labs team, who had previously notified the developers of the issue.
The flaw is tracked under internal identifier WT-2026-0001. It is related to a lack of proper validation when accessing the API interface at the path "/api/v1/auth/force-reset-password." An attacker can exploit this to reset the administrator password by sending a specially crafted HTTP request. The system only needs the "IsSysAdmin" flag set to "true" in the request, which then executes the logic that allows a new password to be assigned to the administrator account using only the username.
This method allows an attacker to gain privileged access if they know the administrator's login credentials. However, the possibilities don't end there. Once access is gained, they can use built-in functionality to execute arbitrary commands at the operating system level. To do this, simply create a new volume in the settings and enter the command in the mount field. This allows access to the system shell with SYSTEM privileges.
Information about active exploitation emerged after a user reported losing access to their administrator account on the SmarterTools forum. According to logs, a password reset was performed via the vulnerable API on January 17—just two days after the update was released. This suggests that the attackers were able to examine the code changes and reconstruct the nature of the patched vulnerability .
Of particular note is the fact that the release notes for version 9511, which fixes the issue, lacked specifics. The only mention was of "important critical security fixes." According to SmarterTools CEO Timofey Uzzanti, this practice is adopted to prevent attackers from making their job easier. He also noted that the company plans to implement additional email notifications when new vulnerabilities are discovered and corresponding patches are released.
It's unclear whether such a mailing was sent this time. At the time of publication, SmarterTools representatives had not commented on the matter. As a reminder, less than a month ago, a vulnerability of the highest severity ( CVE-2025-52691 ) was discovered in SmarterMail, which also allowed remote code execution.
A vulnerability in the SmarterMail email software, patched by an update on January 15 , began to be actively exploited by cybercriminals just two days after the patch was released. This was reported by specialists from the watchTowr Labs team, who had previously notified the developers of the issue.
The flaw is tracked under internal identifier WT-2026-0001. It is related to a lack of proper validation when accessing the API interface at the path "/api/v1/auth/force-reset-password." An attacker can exploit this to reset the administrator password by sending a specially crafted HTTP request. The system only needs the "IsSysAdmin" flag set to "true" in the request, which then executes the logic that allows a new password to be assigned to the administrator account using only the username.
This method allows an attacker to gain privileged access if they know the administrator's login credentials. However, the possibilities don't end there. Once access is gained, they can use built-in functionality to execute arbitrary commands at the operating system level. To do this, simply create a new volume in the settings and enter the command in the mount field. This allows access to the system shell with SYSTEM privileges.
Information about active exploitation emerged after a user reported losing access to their administrator account on the SmarterTools forum. According to logs, a password reset was performed via the vulnerable API on January 17—just two days after the update was released. This suggests that the attackers were able to examine the code changes and reconstruct the nature of the patched vulnerability .
Of particular note is the fact that the release notes for version 9511, which fixes the issue, lacked specifics. The only mention was of "important critical security fixes." According to SmarterTools CEO Timofey Uzzanti, this practice is adopted to prevent attackers from making their job easier. He also noted that the company plans to implement additional email notifications when new vulnerabilities are discovered and corresponding patches are released.
It's unclear whether such a mailing was sent this time. At the time of publication, SmarterTools representatives had not commented on the matter. As a reminder, less than a month ago, a vulnerability of the highest severity ( CVE-2025-52691 ) was discovered in SmarterMail, which also allowed remote code execution.
