CVE-2026-24423
Published Jan 23, 2026
Last updated 2 months ago
- Description
- SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
- Source
- disclosure@vulncheck.com
- NVD status
- Analyzed
- Products
- smartermail
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
- Exploit added on
- Feb 5, 2026
- Exploit action due
- Feb 26, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- disclosure@vulncheck.com
- CWE-306
- Hype score
- Not currently trending
The following weaponized vulnerabilities have been added to our n-day feed: - CVE-2025-61882: Oracle EBS - RCE - CVE-2026-24423: SmarterMail - RCE - CVE-2026-20941: Host Process - LPE - 0DAY-2026-0001: Visual Studio - Info Disclosure https://t.co/Nw6eZdtCs8
@crowdfense
26 Feb 2026
1625 Impressions
6 Retweets
25 Likes
10 Bookmarks
0 Replies
0 Quotes
CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2025-11953 (React Native CLI OS command injection) and CVE-2026-24423 (SmarterMail missing authentication). #VulnerabilityUpdate #SoftwareRisk https://t.co/YCHFkiEwSY
@TweetThreatNews
8 Feb 2026
208 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISAが2つの既知の脆弱性をカタログに追加 https://t.co/0Snq0txzN1 CVE-2025-11953 React NativeコミュニティCLI OSコマンドインジェクション脆弱性 CVE-2026-24423 SmarterTools SmarterMail の重要な機能の認証が欠落している脆弱性
@cybersecnews_jp
6 Feb 2026
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA Adds Actively Exploited React Native CLI and SmarterMail Flaws to KEV — Patch Clock Starts Now CISA added CVE-2025-11953 (React Native Community CLI / Metro dev server OS command injection) and CVE-2026-24423 (SmarterMail unauthenticated RCE via ConnectToHub) to its K
@ThreatSynop
6 Feb 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログにReact Native Community CLIのCVE-2025-11953とSmarterMailのCVE-2026-24423を追加。対処期限は通常の2/26。SmarterMailはランサムウェアに
@__kokumoto
6 Feb 2026
645 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
🛡️ We added React Native community CLI vulnerability CVE-2025-11953 & SmarterTools SmarterMail vulnerability CVE-2026-24423 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cyber
@CISACyber
5 Feb 2026
3835 Impressions
9 Retweets
36 Likes
7 Bookmarks
3 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-33217 2 - CVE-2023-41064 3 - CVE-2026-24423 4 - CVE-2026-1281 5 - CVE-2024-12084 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
31 Jan 2026
127 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D508C7EA-385D-428C-ACD3-9E2F93F0FB31",
"versionEndExcluding": "100.0.9511",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]