SmarterTools has released a security update for its SmarterMail email server software to address a critical vulnerability that could allow attackers to run arbitrary code without authentication. The flaw, identified as CVE-2026-24423, received a severity rating of 9.3 out of 10.0 on the Common Vulnerability Scoring System (CVSS). The patch was included in the latest software build, 9511, released by the company.

Details of the Security Flaw

The vulnerability existed within the ConnectToHub API endpoint in SmarterMail. According to the advisory, this flaw could be exploited by an unauthenticated remote attacker. This means an individual could potentially execute malicious code on a vulnerable server without needing a username or password.

The high CVSS score of 9.3 indicates the flaw is considered severe. Scores in this range typically reflect vulnerabilities that are easy to exploit and can lead to a complete compromise of the affected system. In this case, successful exploitation could grant an attacker significant control over the email server.

Affected Software Versions

The security issue impacted all versions of SmarterMail prior to build 9511. SmarterMail is a popular on-premises email and collaboration server software used by businesses and organizations worldwide. The company has not disclosed whether the vulnerability was actively exploited in the wild before the patch was issued.

Administrators are urged to verify their current SmarterMail build number immediately. The fix is contained within the updated build, 9511, which is available through the standard SmarterTools update channels.

Response and Remediation

SmarterTools addressed the remote code execution flaw alongside at least one other security issue in the same update cycle. The company’s advisory provided the necessary technical details for users to understand the risk and take action.

The primary remediation step is to upgrade the SmarterMail installation to build 9511 or a later version without delay. For systems that cannot be updated immediately, administrators should consult the vendor for potential mitigation strategies, though a full patch is the only complete solution.

Broader Security Context

Critical vulnerabilities in email server software are a significant concern for enterprise security. Email systems are high-value targets for cybercriminals due to the sensitive communication and data they handle. A remote code execution flaw at this severity level could serve as a gateway for data theft, ransomware deployment, or further network infiltration.

This incident follows a pattern of similar critical vulnerabilities being discovered in widely used server software. It underscores the continuous need for organizations to maintain a rigorous and timely patch management process for all critical infrastructure components.

Next Steps for Users

System administrators running SmarterMail should prioritize applying the update to build 9511. They should also review server logs for any unusual activity that may indicate a prior attempted or successful exploitation. SmarterTools is expected to continue its standard security maintenance, and users should monitor the company’s official channels for any further advisories related to this or other vulnerabilities.

Source: Adapted from original security advisory