Decompiled Patch Diff Enables SmarterMail Admin Password Bypass (WT-2026-0001)

January 22, 2026 at 11:29 AM

•

1 min read

Decompiled Patch Diff Enables SmarterMail Admin Password Bypass (WT-2026-0001) — Photo: watchTowr Labs

TL;DR Summary

Researchers detail WT-2026-0001 in SmarterMail, a pre-authentication admin password-reset bypass that can be triggered by calling a force-reset-password API with IsSysAdmin set to true, enabling admin access without verifying OldPassword and potentially yielding remote code execution via the Volume Mount feature. A PoC shows a JSON payload including IsSysAdmin, Username, and NewPassword. SmarterTools released patch 9511 on Jan 15, 2026 to fix the flaw, but exploitation was observed shortly after the patch, highlighting urgent need to upgrade. The patched flow enforces admin verification and old-password checks, mitigating this bypass; the report also notes the ongoing risk and how attackers monitor patches to exploit high-value targets.

Topics:technology #authentication-bypass #password-reset #patch #rce #security #smartermail

Share this article

Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass) watchTowr Labs

Reading Insights

Total Reads

Unique Readers

Time Saved

8 min

vs 9 min read

Condensed

94%

1,723 → 105 words

Want the full story? Read the original article

Read on watchTowr Labs

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights