What happened
A critical vulnerability in SmarterTools’ SmarterMail email and collaboration server is being actively exploited by ransomware-linked attackers, U.S. cybersecurity authorities warn. The flaw, tracked as CVE-2026-24423, exists in the ConnectToHub API method of SmarterMail builds prior to v100.0.9511 and allows unauthenticated attackers to execute arbitrary operating system commands by directing a vulnerable instance to retrieve a malicious HTTP payload. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this issue has been added to its Known Exploited Vulnerabilities (KEV) catalog because it has been abused in ransomware campaigns in the wild, with exploitation observed against internet-accessible servers. The vulnerability joins other SmarterMail flaws previously targeted by attackers, and SmarterTools released patched builds on January 15, 2026 that address CVE-2026-24423 alongside earlier exploited defects.Â
Who is affected
Operators of SmarterTools SmarterMail servers running vulnerable versions prior to build 9511 are affected, as those instances remain exposed to unauthenticated remote exploitation that can lead to arbitrary command execution and potential ransomware payload delivery.Â
Why CISOs should care
The active exploitation of a critical remote-code-execution vulnerability in widely used mail server software highlights persistent ransomware actors’ focus on opportunistic software flaws, reinforcing the need for rapid patching and vulnerability management in exposed infrastructure.Â
3 practical actions
- Apply the SmarterMail patch. Update affected SmarterMail instances to build 9511 or later to remediate CVE-2026-24423.Â
- Restrict management interfaces. Limit external network access to mail server management and API endpoints to reduce exploitation risk.Â
- Monitor ransomware indicators. Detect signs of ransomware delivery or command execution patterns on mail server hosts.