SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSmartertools Smartermail
APPSmartertools16.0.6345 – 16.3.6985 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth BypassDeserialization
CWE
References
Related vulnerabilities
CVE-2026-24423CRITICAL9.3⚠ KEVPL ✓ten sam produkt
SmarterMail – nieuwierzytelnione RCE przez ConnectToHub API
CVE-2026-23760CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Pominięcie uwierzytelnienia w API resetowania hasła SmarterMail
CVE-2025-52691CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Nieautoryzowany upload plików i RCE w SmarterMail (SmarterTools)
CVE-2021-32234CRITICAL9.8ten sam produkt
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
CVE-2026-7807HIGH8.7ten sam produkt
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/repo...