Back to Community Threads
Smartermail Administrator Password Reset - Read this - CVE-2026-23760
Problem reported by Jade B - 1/27/2026 at 12:40 AM
Submitted
I'm creating this (what may seem like a duplicate post) post as there is some misinformation on the forums.

Smartermail version 9511 and prior is subject to Unauthenticated Administrator Password Reset - CVE-2026-23760

If you've run into the issue where your smartermail administrator password no longer works then it is because you're affected by the current exploit that affects version 9511 and prior. 

Upgrade to the latest version (currently 9518)


To regain access to your smartermail server, use this

Assume that your server is compromised and prepare to rebuild and restore data from backup - pay attention to the mounted drive section of Watchtowr's post.
J
J. LaDow Replied
1/27/2026 at 7:03 AM
This is wrong.

9511 fixes the password reset vulnerability - verified in the very article you've posted - right above the first image in the report.  We have also independently verified the patch is valid.
MailEnable survivor / convert --
Jade B Replied
1/27/2026 at 7:56 AM
Hi J

That same version was being exploited, irrespective the latest version addresses critical security issues in 9511 and prior.
J
J. LaDow Replied
1/27/2026 at 8:04 AM
MailEnable survivor / convert --
Jade B Replied
1/27/2026 at 8:15 AM
Please explain the critical differences then between 9511 and 9518. Based on my evidence 9511 allows the SM administrator password to be reset, granting access to your SM installation 
J
J. LaDow Replied
1/27/2026 at 8:57 AM
Our contracted independent testing shows the vulnerability was patched. We have run multiple scenarios against the build and are unable to trigger a reset. If you have evidence otherwise, that needs to be communicated directly to SmarterTools for investigation.

SmarterTools sent out communications stressing the importance of upgrading to build 9518 and that there is an undisclosed vulnerability present in previous builds that 9518 fixes.

The reason WatchTowr released public information early on builds older than 9511 was clearly documented in their report: that the vulnerability was already being exploited in the wild. 

The first vulnerability they reported they followed responsible disclosure ethics along with all other entities that were involved in the discovery and reporting. That's why there was a long window between the fix in October and disclosure in December. Additionally, WatchTowr did not release any data on the first vulnerability until AFTER Singapore released their alert. The main complaint was the watering down/non-notification of the first two fixes. 

As for what was fixed in build 9518, I am not at liberty to detail for two reasons - one: responsible disclosure ethics - two: we won't violate our license agreement in regards to reverse engineering. We were alerted that vulnerability exists, and updated accordingly prior to exploit code landing in the wild.

Now that SmarterTools and security firms are on the same page about alert and disclosure, I am not about to rock that boat.

ONE THING we are in agreement on: build 9518 is what everyone should be running - anything older has vulnerabilities. My issue was that the information posted about 9511 is inaccurate - as 9511 DOES fix the password reset vulnerability. In my experience, it is recommended to make sure you have control of your server before upgrading. 
MailEnable survivor / convert --
Jade B Replied
1/27/2026 at 9:15 AM
Thank you for the update and explanation into what you know and can share with the community. 

I'll post my findings in here just to clarify
M
Mark Johnson Replied
1/28/2026 at 8:06 PM
Totally agree, if you are not running 9518 today, you are on the hackers list and will get hit eventually.
We seriously considered a business hours update when it was released last week, but it was a nervous few hours while we planned an outage window.

Do it now or be prepared for some potentially difficult discussions with your customers.
Security is always priority 1 these days.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Reset Administrator Username and PasswordSmarterMail > Installation and Configuration
Reset Administrator Username and Password ( Linux )SmarterMail > Installation and Configuration
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Set Up a Recovery Email AddressSmarterMail > Domain/User Configuration and Management
Webmail Shows an Expired Certificate WarningSmarterMail > Troubleshooting