A newly disclosed security flaw in SmarterTools SmarterMail is already being exploited in the wild, just two days after a patch was released, raising concerns about how quickly attackers are reverse engineering vendor fixes.
WatchTowr Labs has identified this issue as WT 2026 0001 and the issue does not currently have an official CVE ID assigned. On January 15, 2026, SmarterTools released a fix for the vulnerability (Build 9511) following responsible disclosure of the vulnerability on January 8, 2026.
The fundamental flaw of the vulnerability is an authentication bypass that allows any user without authentication to reset the system administrator password through a specially crafted HTTP request sent to:
/api/v1/auth/force-reset-password
According to watchTowr researchers Piotr Bazydlo and Sina Kheirkhah, the flaw is particularly dangerous because it doesn’t stop at account takeover.
“The kicker is that the attacker can then use built in RCE as a feature functionality to directly execute operating system commands,” the researchers said.
What The Exploit Does
The function AuthenticationController.ForceResetPassword had a security hole because it was not protected by any method requiring someone to log in to access this part of the application, but instead relies on a boolean flag, IsSysAdmin, to control how password resets would work. If an attacker can set this flag to true; the following will happen:
1. The configuration for the supplied username is loaded from the configuration files.
2. A new system administrator record is created.
3. The administrator password is updated.
As you can see this means anyone who has the administrative username will be able to change the administrator password without having to log in.
From Admin Access to Full System Control
Once an attacker has access to the admin features of the application they can continue to gain access to other parts of the application. SmarterMail has a feature that allows system administrators to execute operating system commands, which is another way for an attacker to exploit this vulnerability.
By navigating to Settings → Volumes and supplying a command in the Volume Mount Command field, an attacker can trigger execution on the host system and obtain a SYSTEM level shell.
This turns what starts as an authentication flaw into full remote code execution.
The Active Exploitation Evidence
Following a user reporting their admin account had been disabled on the SmarterTools Community Portal, watchTowr Labs chose to break their silence. Observing the logs, they saw evidence of the reset password (force) endpoint use on January 17, 2026, a mere two days after the patch was released.
This shows how quickly anyone who was attacking SmarterTools' community portal was able to look over the patch's release notes and replicate what was done to create the exploit. Moreover, the situation had been compounded by the existence of vague release notes, as Build 9511 only stated the following: "IMPORTANT: Critical Security Fixes." No further technical information was available.
Vendor Response
SmarterTools CEO Tim Uzzanti said limited disclosure is intentional to avoid helping attackers, but acknowledged customer concerns. He stated the company plans to improve communication by emailing administrators when CVEs are discovered and again when fixes are released.
It’s unclear whether such an alert was sent for this issue. SmarterTools has not yet commented publicly on the active exploitation.
Why This Matters
This incident highlights a growing trend: attackers no longer wait weeks or months. Patches are reverse engineered almost immediately, and vulnerable systems are targeted within days.
For SmarterMail administrators, applying updates immediately is no longer optional—it’s the difference between staying secure and losing full control of the server.
Source: The Hacker News
January 22, 2026
January 22, 2026
January 22, 2026
December 31, 2025
October 03, 2024
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
