A critical authentication bypass vulnerability (WT-2026-0001) was discovered in SmarterTools SmarterMail, allowing any unauthenticated attacker to reset the system administrator password via the `/api/v1/auth/force-reset-password` endpoint. The flaw exists because the `ForcePasswordReset` method accepts a user-controlled `IsSysAdmin` flag and, when set to true, skips all password validation — including verification of the old password. Once admin access is obtained, attackers can achieve SYSTEM-level RCE through the built-in Volume Mounts feature. Active in-the-wild exploitation was observed just two days after the patch (version 9511, released January 15, 2026) was released, suggesting attackers performed patch diffing to reconstruct the vulnerability. Immediate upgrade is strongly advised.
Table of contents
Why Are We Here?WT-2026-0001 - Authentication Bypass via Password ResetProof of ConceptBut Wait, There's More - RCE as a ServiceWhat to Do, How to LiveGain early access to our research, and understand your exposure, with the watchTowr PlatformSort: