SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the mal

Description

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

Affected Products

Vendor	Product	Versions
smartertools	smartermail	< 100.0.9511

References

https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail(Third Party Advisory)
https://www.smartertools.com/smartermail/release-notes/current(Release Notes)
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api(Third Party Advisory)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423(US Government Resource)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

100.0.9511

CWECWE-306

PublishedJan 23, 2026

Last enriched5d ago

Trending Score0

Source articles0

Independent0

Info Completeness11/14

Missing: epss, iocs, mitre_attack

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the mal

Description

Affected Products

References

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline