Back to Community Threads
Build 9518 (Jan 22, 2026) - Share your experience
Problem reported by kevind - 1/22/2026 at 7:42 PM
Submitted
The Tell us what you think of the latest build? thread is getting too long, so starting a new thread. Reply if you installed this build and let us know how it's working. Thanks!

Build 9518 (Jan 22, 2026)

  • IMPORTANT: Critical security fixes. It is strongly recommended that all users update to this release.
  • Changed: Online Meetings need to support Authenticated Users' timezone IDs.
  • Changed: Redesigned the Diagnostics area, making it an actual page for system administrators, and including additional information.
  • Fixed: [HA] Translation error when blacklisting an IDS block.
  • Fixed: Blocked Domains modal has title "Blocked Senders".
  • Fixed: Mailing Lists do not validate the throttling card when adjusting Outbound Throttling.
  • Fixed: Newly created users can generate 'password encrypted is null' errors.
B
Bill T Replied
1/22/2026 at 9:56 PM
Rolled the dice and loaded it. So far so good, 

With the concern that the hackers are using the patches to diff the changes and figure out what was patched, seems like we have to patch immediately. Just hoping nothing new pops up.

We also added a URL block to the web.config for the RCE-as-a-feature that watchtowr mentioned. Only problem is web.config gets rewritten during the upgrade so had to add it back. Might be worth considering making that entire feature optional during the install? Are a lot of people using it?

Does anyone know of any other features of Smartermail that a person with admin access to the web console would be able to run system level commands? 
echoDreamz Replied
1/22/2026 at 10:52 PM
Installed, no issues thus far.
Sabatino Replied
1/23/2026 at 12:56 AM
Hi.
I installed 100.0.9518.30214 (1/22/2026)

So far, everything's fine.

I installed it not so much for the
force-reset-password exploit

but for all the others that aren't being discussed at the moment, given that there are other CVE.

I was hit by force-reset-password yesterday, but other than that, it didn't cause any other problems.

All my administrative accounts have either IP filtering or 2FA.

I generally use two admin accounts: one with IP filtering for work from secure networks in my office, and another for external emergencies, but in this case, 2FA is necessary.

With 9518, the diagnostics page also works remotely, but I'm logged in with the administrative account from authorized networks, so I don't know if that's the reason.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Sabatino Replied
1/23/2026 at 1:21 AM
Tip:
Enter the status of the services, whether they are started and operational.

I mean ClamAV
message sniffer
cyren

etc.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
t
terry fairbrother Replied
1/23/2026 at 1:25 AM
Linux SM, if I click on About, no box appears so unable to check what version i'm on. Connected via localhost

Ignore, appears to be working now. Hmmmmmm
G
George To Replied
1/23/2026 at 1:48 AM
Hello, Sabatino,

@Sabatino , can 2FA and/or "login IP filtering" defense you against force-reset-password exploit ?

(i.e. even password modified, but they cannot login successfully?)

Thank you
Regards
George.
J
J. LaDow Replied
1/23/2026 at 2:17 AM
@George To

Even if it does, there is a new build out that fixes another yet unknown vulnerability.

Given the speed the last exploit was found - admins have about 24-48 hours to get updated before the next vulnerability becomes actively exploited in the wild. 

It is recommended to get updated to build 9518 as soon as possible as we have no temporary mitigation information available.
MailEnable survivor / convert --
Sabatino Replied
1/23/2026 at 2:19 AM
It should be like this.
I reset the system admin's password due to the reset and verified that the IP restrictions hadn't been bypassed.
So they weren't able to log in (and from the logs, I later verified that they didn't even try after the reset; I intervened almost immediately).

I have the system admin (the one they can reset the password on, from what I understand) with IP restrictions.
I have other admins for external access to my network with 2FA.
I don't know what happens if a 2FA admin's password is reset. SM should respond here.


However, as I said, installing 9518 is a necessity, because the force-reset-password is only the tip of the iceberg, as there are other CVE that we may not talk about here.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Gabriele Maoret - SERSIS Replied
1/23/2026 at 4:24 AM

My linux server is showing the ABOUT info correctly:  
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
G
George To Replied
1/23/2026 at 12:40 PM
We updated 2 SmarterMail servers from 9511 to 9518 for a few hours.
So far so good.

Also, v9518 includes a new SmarterMail diagnosis page.
M
Marc Replied
1/24/2026 at 8:25 AM
Updated from 9511 to 9518 on Windows Server 2019, no issues so far.

I’m not sure if this is still the recommended update procedure. I’ve never had any issues with it, but I’d like to double‑check:

- Stop the IIS site and stop the App Pool
- Stop the MailService, and wait until it disappears from Task Manager
- Backup the SM-Config
- Create a snapshot
- Uninstall the current version
- Install the new version

I’ve never rebooted the server after uninstalling the old version.  
Is a reboot actually recommended at this step?
I do it always.
Oliver Replied
1/24/2026 at 2:52 PM
In the admin interface under Settings -> Administrators -> Change Password, the administrator password cannot be changed. The error message “Incorrect password” appears.
Michael Replied
1/24/2026 at 7:38 PM
Oliver, we had the same issue. It was because 2FA was enabled. Disabling 2FA briefly we could then reset the password. We believe having 2FA enabled would have prevented any password change by the exploit, but that's still not yet clear. 
David Short Replied
1/25/2026 at 5:43 AM
The appsettings.json file tricked me up because I would have thought that it would have carried forward the settings from the previous install.  Webmail wasn't working, of course, until I went in and updated this file to listen on port 443.
Gabriele Maoret - SERSIS Replied
1/25/2026 at 5:51 AM
All seems OK here
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Cris Mead Replied
1/25/2026 at 6:46 AM
Had to install, forced by at least 2 "force-reset-password" with status=200, and lost control of server for a moment... (right when I was on vacation LOL)

9518 working -- no issues so far 
J
J. LaDow Replied
1/25/2026 at 7:32 AM
If you lost control of your server for any amount of time - it is recommended to go through all settings and verify that post-exploit attacks weren't left on the server such as rogue volume mounts - as well as scanning the local file systems for any signs of compromise.

Pre < 9518 builds have path traversal and authentication issues that when leveraged can result in full compromise of a server within minutes of initial attack.
MailEnable survivor / convert --
Cris Mead Replied
1/25/2026 at 8:06 AM
@J. LaDow, agreed thank you, that has been my last 3 days ;)

Seems they didn't get anywhere, it actually seems like 2 bad actors had changed the password independently, and might have screwed each other, or no one acted on anything
Oliver Replied
1/25/2026 at 10:29 AM
@Michael thanks, your tip worked.
Michael Graveen Replied
1/25/2026 at 12:56 PM
On Saturday, tried to upgrade from build 9483 (Dec 18, 2025) to 9518 (Jan2,2026) on Ubuntu 24.04 LTS.  Stopped the SmarterMail service, uninstalled, reinstalled.  The SmarterMail service kept crashing (core dump).  We did reboot and the service still crashed.  Went back to build 9483.  The service still crashed.  Had to restore the server.  So, the upgrade has not been successful.
anyone else using it with Ubuntu?

Mike
t
terry fairbrother Replied
1/25/2026 at 3:52 PM
I'm on ubuntu, free SM, no issues upgrading. I have done incremental updates as they were released
mh Replied
1/26/2026 at 6:55 AM
Ubuntu but in a docker, only issue was several months back with a bug in their upgrade from a much older version and on windows, which they got fixed within a few days once they were able to verify what was causing problems. No problems since.
AWRData Replied
1/26/2026 at 7:11 AM
On Windows Server 2016, I upgraded as soon as I received the email from SM.  It has been running fine since, until in the wee hours of this morning it stopped responding.  The web interface indicated a problem with the application responding, no SMTP, no IMAP.

Restarting the service on the server failed.  A basic sanity check of the system passed, so I restarted the server.  Everything came back up fine.

I have not had a chance to do any investigation and will not until sometime tomorrow.

FWIW, we are planning to move to Server 2025, but an issue with certificates has put a spanner in the works.
Rod Strumbel Replied
1/26/2026 at 7:21 AM
@AWRData...   did you notice when you installed on Windows 2016, did it utilize .Net 10?  Or a lower edition?  We are in the same boat (but on a much older version of SM currently) just wondering what all I need to get in place prior to running the update.  We are on 8451.

We actually saw vbs files introduced over the weekend into the MRS/Services folder.  Which, is NOT one of the listed exploits so thinking it may be something "normal" that our system level virus scanner identified.
J
J. LaDow Replied
1/26/2026 at 8:49 AM
@Rod: NO - THOSE FILES ARE NOT NORMAL  - THEY SHOULD BE SCANNED FOR MALWARE (ALONG WITH THE ENTIRE SERVER).

Here's the timeline:

First exploit was patched in 9413 - unauthenticated file upload leading to server compromise. That you have recent .VBS files in that folder means you were hit by the FIRST exploit.

The second and third exploits were patched in 9511 - this allowed unauthenticated resetting of "sysadmin" level account passwords - which once logged in could lead to complete server compromise. The other vulnerability is in the Connect-To-Hub endpoint that can result in RCE as well, but the details are unknown.

Build 9518 patches a vulnerability in the background-of-the-day endpoint that has a path-traversal/coercion vulnerability but the details are unknown.

AS OF CURRENT - 9518 IS THE ONLY VERSION ANYONE SHOULD BE RUNNING - AS ANYTHING PRIOR HAS KNOWN AND UNKNOWN VULNERABILITIES AND THEY ARE CURRENTLY BEING EXPLOITED IN THE WILD.

[edited/updated 2026-Jan-30] added notes for build 9518 and 9511.
MailEnable survivor / convert --
AWRData Replied
1/26/2026 at 1:05 PM
FWIW, a quick look over everything, nothing is out of the ordinary on my system.  All existing files are expected, and only expected files have been updated since the upgrade (not fool-proof, but helpful.)  As well, nothing is in the anti-virus quarantine.  Looks clean for now.
John Quest Replied
1/26/2026 at 3:04 PM
On Windows Server 2016, I upgraded as soon as I received the email from SM.  It has been running fine since, until in the wee hours of this morning it stopped responding.  The web interface indicated a problem with the application responding, no SMTP, no IMAP.

Restarting the service on the server failed.  A basic sanity check of the system passed, so I restarted the server.  Everything came back up fine.

Did you restart the server completely after doing the upgrade? That is always recommended.
John Quest Replied
1/26/2026 at 3:08 PM
We actually saw vbs files introduced over the weekend into the MRS/Services folder.  Which, is NOT one of the listed exploits so thinking it may be something "normal" that our system level virus scanner identified.

ALWAYS investigate new/unknown/questionable files on a server.

NEVER EVER EVER NEVER "ASSUME" that they are normal.

Remember, to assume means to make an A$$ out of U and ME.
t
terry fairbrother Replied
1/26/2026 at 3:31 PM
Slightly off topic, but as there's been mentions of Servers, how does SM sit with Microsoft CAL licenses? I have assumed that since a user will be using IIS and file storage, then a CAL will be needed. My intention is to run Server Std 2025 with a HyperV role and spin up a pair of Ubuntu VMs, one for SM, the other for RspamD, thus not needing user cals.

Just wondering how others are licensed outside of the SM license
Users dont need a CAL. Technically users dont use Microsoft software but only smartermail and that doesnt need CAL.
t
terry fairbrother Replied
1/27/2026 at 3:06 AM
But surely if an external user is coming in externally and using IIS, eg, autodiscover, that requires some form of licence, eg., EC?
No because you buy smartermail MAPI and they pay MS for the use.
J
J. LaDow Replied
1/27/2026 at 7:08 AM
CALs are "basically" only required for Active Directory and Remote Desktop Services -- those are the parts of the operating system that Microsoft can control.  

What applications and what they do is "on top" of that layer. If you leverage AD, there might be implications depending on the application's dependence on AD and system level services offered. If the applications are served via Remote Desktop or require it to function then CALs would apply to that scenario.
MailEnable survivor / convert --
MattyT Replied
1/27/2026 at 12:33 PM
Upgraded from 9511 on 1/23. Went without a hitch. No sketchy files anywhere on server.
AWRData Replied
1/30/2026 at 8:35 PM
A quick update.  My system became non-responsive again tonight.  A restart restored operations.

I also found that Windows Defender had caught several attempts to back-door my server via an unauthenticated upload.  The upload was caught each time.  These attempts date back into late December, and two more in January.

I have started a ticket to help provide whatever information I can to determine how the service keeps getting kicked offline.
Michael Graveen Replied
1/31/2026 at 7:45 PM
Today we upgraded from build 9483 to build 9526 (January 30, 2026).  Did the upgrade without uninstalling (just stopped the SM service).  Everything seems to be working fine.  I will post here it that changes.

Mike
J
J. LaDow Replied
1/31/2026 at 8:01 PM
If you do have issues in 9526 - there's another thread going over here ->
MailEnable survivor / convert --
M
Mark Milton Replied
2/3/2026 at 3:02 AM
I think my server has been attacked. How can I get control back?

I can't login to the Webmail

After reading the above I looked at the MRS folder than there is 33 .ASPX files uploaded beween the 10th - 15th January
YS Tech Replied
2/3/2026 at 5:07 AM
I also have a few .aspx files in that folder.
What should we be seeing in the MRS folder, should there be .aspx files in the form qf9u9k_0.aspx ?
If not, then can we just delete them?

I also have .txt and .aspx files in the Service/App_Data folder in the form wwg6hq_0.txt and wiwsgi_0.aspx. Should they be there?

The server has been virus and malware checked and doesn't see these as issues.

Also, which IP's should be whitelisted by default (I have 3 lots of local network ranges)?
J
J. LaDow Replied
2/3/2026 at 8:28 AM
@YS_Tech - none of those should be there, but they look like examples from previous versions of the uploader process. In the current SM versions, uploads are assigned different filenames when in "temporary" state before being processed and moved out of the uploads or Attachments folder. The house-cleaning built into SM for those folders cleans out anything unprocessed that's older than 3 days, but only in the uploads or attachments folder.

Those .txt and .aspx files should all be deleted - but check the file dates on them to see when they were created/last modified. You need to scan the rest of the filesystem for other signs of malicious uploads if you have some dropped where you're saying they are - because the path-escape vulnerability was also leveraged. These are signs of infection prior to installation of build 9511 or newer.
MailEnable survivor / convert --
YS Tech Replied
2/3/2026 at 1:08 PM
Thanks J.LaDow, i've had a scan around and checked. I had files in:

SmarterTools
SmarterTools/SmarterMail/
SmarterTools/SmarterMail/MRS
SmarterTools/SmarterMail/Service/App_Data
SmarterTools/SmarterMail/Service/Interface
SmarterTools/SmarterMail/Service/wwwroot

I couldn't find anything untoward outside of the SmarterTools directory.

I've now removed all of the files and i'm still running, so i'll keep an eye on these areas to see if anything appears again.
Rod Strumbel Replied
2/3/2026 at 4:04 PM
By the way, on discusson of the blah_0.aspx files... when I found mine they were going as far back as 1/9/2025... so this had been ongoing for awhile.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
Attaching SmarterMail 16.x and Older Domains to New BuildsSmarterMail > Domain/User Configuration and Management
Understanding SNI in SmarterMailSmarterMail > Server Configuration and Management
Autodiscover and Registry Edits for Outlook and MAPISmarterMail > Desktop and Mobile Synchronization