SmarterMail Authentication Bypass (WT-2026-0001) Allows Admin Takeover, Exploited After Patch
WatchTowr discloses an unauthenticated password reset bypass in SmarterTools SmarterMail that lets attackers hijack the system admin account, with evidence of in-the-wild exploitation after the patch was released.
WatchTowr Labs has disclosed a critical authentication bypass vulnerability in SmarterTools SmarterMail, tracked as WT-2026-0001, that allows any unauthenticated attacker to reset the system administrator password and gain full control of the email server. The flaw resides in the `ForceResetPassword` API endpoint, which is marked with `AllowAnonymous=true` and accepts a user-supplied `IsSysAdmin` boolean parameter. By setting this parameter to `true`, an attacker can bypass all authentication and trigger the system administrator password reset flow, effectively taking over the highest-privileged account on the server.
The vulnerability was responsibly disclosed to SmarterTools, which released a patched version (release 9511) on January 15, 2026. However, WatchTowr reports that exploitation has been observed in the wild after the patch was issued. An anonymous tipster provided log excerpts from a SmarterMail forum thread showing the `force-reset-password` endpoint being abused to hijack admin accounts two days after the patch was released. This suggests that attackers are reverse-engineering the patch to reconstruct the vulnerability, a tactic WatchTowr calls "attackers with decompilers."
The technical mechanism is straightforward. The `ForceResetPassword` method in `SmarterMail.Web.Api.AuthenticationController` is exposed via HTTP POST at the route `force-reset-password`. The `AuthenticatedService(AllowAnonymous = true)` attribute permits unauthenticated access. The method then branches based on the `IsSysAdmin` property of the input object. If set to `true`, it executes the system administrator password reset logic without requiring any prior authentication or proof of identity. This allows an attacker to simply send a crafted JSON payload to the endpoint and change the admin password to one of their choosing.
Once the attacker controls the system administrator account, they can leverage SmarterMail's built-in RCE-as-a-feature functions to execute arbitrary operating system commands on the server. This means the vulnerability is not just a credential bypass but a direct path to full server compromise. WatchTowr notes that the combination of unauthenticated admin password reset and subsequent command execution makes this a particularly dangerous flaw for organizations relying on SmarterMail for email services.
The impact is significant. SmarterMail is a widely used email server solution for businesses and service providers. An attacker who successfully exploits WT-2026-0001 can read all emails, intercept communications, deploy ransomware, or use the compromised server as a pivot point for further network attacks. The fact that exploitation has already been detected post-patch indicates that defenders must apply the update immediately and audit their systems for signs of compromise.
SmarterTools has released a patch in release 9511, but the company's release notes did not explicitly highlight the severity of the vulnerability, according to WatchTowr. The researchers urge all SmarterMail administrators to upgrade immediately and review logs for any suspicious `force-reset-password` activity. They also recommend enabling multi-factor authentication for admin accounts and monitoring for unexpected password changes as additional mitigations.
This disclosure follows closely on the heels of CVE-2025-52691, a pre-auth RCE vulnerability in the same product that WatchTowr reported two weeks prior. The back-to-back critical flaws in SmarterMail raise questions about the security posture of the software and the effectiveness of its patch communication. As attackers increasingly use decompilers to reverse-engineer security patches, the window for defenders to apply updates continues to shrink.