CVE-2026-24423
KEV
🔴 Łataj teraz
Podatność w SmarterMail umożliwia zdalne wykonanie kodu bez uwierzytelnienia.
CVSS
9.8
EPSS
87.7%
Exploit
weaponized
Vendor
smartertools
Opis źródłowy (NVD)
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 87.7% |
| Opublikowano (NVD) | 2026-01-23 17:16:13 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-17 10:23:03 UTC |
Referencje
- https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail (disclosure@vulncheck.com) [Third Party Advisory]
- https://www.smartertools.com/smartermail/release-notes/current (disclosure@vulncheck.com) [Release Notes]
- https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api (disclosure@vulncheck.com) [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]