Well, well, well – look what we’re back with.
Just two weeks ago, we examined CVE-2025-52691, a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution that had a timeline typically reserved for significant vulnerabilities.
This situation had all the ingredients for a captivating story:
- A government agency involved
- Vague patch notes
- Tense discussions on forums
- Accusations of exploitation in the wild
Such drama!
Why Are We Here?
As is often the case, our idle minds led us to explore what seemed like a particularly interesting issue, leading us to WT-2026-0001, an Authentication Bypass vulnerability enabling any user to reset the SmarterMail system administrator password.
The twist? This user can utilize RCE-as-a-feature functions to execute OS commands directly.
We believe (and have confirmed) that this vulnerability was promptly patched by the SmarterTool teams after being reported, with the fix released on January 15, 2026 (release 9511) — just six days ago.
The Tip-Off
Our plan wasn’t to publish today, especially since it’s Wednesday, traditionally reserved for meme content. However, an anonymous tip changed that — someone is currently exploiting SmarterMail to reset admin passwords.
This tipster also referenced a related forum thread where a user reported losing access to their admin account, along with suspicious log file excerpts.
WT-2026-0001 – Authentication Bypass via Password Reset
Initially, we aimed to investigate unauthenticated endpoints and hoped for an easy find, and spoiler alert: we succeeded.
Authentication controllers and password reset functionalities are gold mines for attackers, leading us to the SmarterMail.Web.Api.AuthenticationController.ForceResetPassword method.
This API endpoint astonishingly allows anonymous access; thus, it can be accessed without authentication, which is atypical for password reset features that usually require a secondary verification method.
Lack of Security Controls
As it turns out, there are no proper security measures in place. No authentication, no authorization, and no verification of the OldPassword. Ironically, the flow for resetting regular users’ passwords does validate existing credentials, but the administrator’s privileged path offers none.
Essentially, this constitutes a complete authentication bypass for the admin account. An attacker only needs to provide:
- The username of an admin account
- A new password of their choosing
With this, the attacker gains admin access!
Acting Quickly
SmarterMail patched this vulnerability in version 9511 on January 15, 2026. If you haven’t updated yet, do so immediately—this vulnerability is currently under active exploitation.
Attempts to exploit this vulnerability on patched systems will yield error messages indicating invalid input parameters, a clear sign of proper remediation in the latest updates.
Once again, this case highlights that attackers are keenly monitoring release notes and performing patch analysis on high-value targets. We’ve learned valuable lessons today regarding WT-2026-0001.
