CVE-2026-23760

SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760)

Initial Access Credential Access Last updated:

Detects exploitation of CVE-2026-23760, an authentication bypass vulnerability (CWE-288) in SmarterTools SmarterMail. Attackers can access protected functionality through an alternate path or channel without valid credentials, potentially leading to unauthorized mailbox access, data exfiltration, or lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
SmarterTools
Product
SmarterMail

Weakness (CWE)

CWE-288

Timeline

Disclosed
January 26, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-23760 SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760)?

SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760) (CVE-2026-23760) maps to the Initial Access and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760), covering the data sources and telemetry it touches: W3CIISLog, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Credential Access
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  W3CIISLog
  | where csUriStem has_any ("/api/", "/autodiscover/", "/ews/", "/mapi/", "/interface/", "/webmail/")
  | where csMethod in ("POST", "GET", "PUT")
  | where scStatus in (200, 201, 302) and (csUriQuery has_any ("bypass", "token=", "auth=", "session=") or csUriStem has_any ("/admin", "/config", "/settings"))
  | where csUserAgent !has "Mozilla" or csUriStem has "/api/v1/"
  | extend TargetResource = strcat(csUriStem, "?", csUriQuery)
  | project TimeGenerated, cIP, csUriStem, csUriQuery, csMethod, scStatus, csUserAgent, TargetResource, _ResourceId
),
(
  DeviceNetworkEvents
  | where RemotePort in (25, 110, 143, 443, 587, 993, 995, 8080, 8443)
  | where InitiatingProcessFileName has_any ("SmarterMail", "MailService", "smtpd")
  | where ActionType == "InboundConnectionAccepted"
  | project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| summarize RequestCount=count(), DistinctURIs=dcount(csUriStem), DistinctPorts=dcount(RemotePort) by bin(TimeGenerated, 5m), cIP, DeviceName
| where RequestCount > 10 or DistinctURIs > 5

Detects suspicious HTTP requests to SmarterMail endpoints indicative of authentication bypass attempts, including access to admin/config paths without standard browser user-agents, anomalous query parameters, and high-frequency access patterns from single IPs.

critical severity medium confidence

Data Sources

W3CIISLog DeviceNetworkEvents

Required Tables

W3CIISLog DeviceNetworkEvents

False Positives

  • Legitimate automated mail clients or monitoring tools polling SmarterMail APIs at high frequency
  • Internal IT administrators accessing admin panels via scripts or non-browser HTTP clients
  • Load balancers or health-check probes generating repeated requests to SmarterMail endpoints
  • Legitimate third-party integrations using API tokens that appear in query strings

Sigma rule & cross-platform mapping

The detection logic for SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760) (CVE-2026-23760) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-23760 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-23760

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Probe SmarterMail Admin API Without Credentials

    Expected signal: IIS access log entry showing GET /api/v1/settings/sysadmin/general with HTTP 200 or 302, source IP of test host, user-agent 'python-requests/2.28'

  2. Test 2Enumerate SmarterMail User Accounts via Bypass Path

    Expected signal: IIS logs showing sequential requests to /api/v1/accounts, /autodiscover/autodiscover.xml, /ews/exchange.asmx with non-standard user-agent from a single IP within seconds

  3. Test 3SmarterMail Authentication Bypass via Token Parameter Injection

    Expected signal: Windows Event Log network connection events and IIS access log entries showing GET requests with 'token=', 'auth=', 'session=' query parameters, HTTP responses 200/302/401, user-agent 'TestClient/1.0'

Unlock Pro Content

Get the full detection package for CVE-2026-23760 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1114Email Collection

Same Tactic: Initial Access

Popular Detections