CVE-2026-24423

Analyzed

Published: 23 Jan 2026, 16:53

Last modified:05 Mar 2026, 01:30

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

29.3% HIGH

29% probability 0.00%

KEV

Listed

CISA

1 listing

Ransomware

Known Use

Public exploits

None found

Dark Web

Not detected

Timeline

23 Jan 2026, 16:53

Published

Vulnerability first disclosed

05 Feb 2026, 00:00

Added to CISA KEV

SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability

26 Feb 2026, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

05 Mar 2026, 01:30

Last Modified

Vulnerability information updated

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CVSS Metrics

v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 29.30%• Percentile: 97%

Techniques & Countermeasures

CWE-306•Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Affected Systems

Unknown•SmarterMail
< 100.0.9511