CVE-2026-24423

SmarterMail Missing Authentication for Critical Function (CVE-2026-24423)

Initial Access Persistence Privilege Escalation Last updated:

Detects exploitation of CVE-2026-24423, a missing authentication vulnerability (CWE-306) in SmarterTools SmarterMail. This KEV-listed vulnerability allows unauthenticated attackers to access critical functions in SmarterMail, potentially enabling unauthorized administrative access, data exfiltration, or further lateral movement. Detection focuses on unauthenticated access patterns to administrative and critical API endpoints.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
SmarterTools
Product
SmarterMail

Weakness (CWE)

CWE-306

Timeline

Disclosed
February 5, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-24423 SmarterMail Missing Authentication for Critical Function (CVE-2026-24423)?

SmarterMail Missing Authentication for Critical Function (CVE-2026-24423) (CVE-2026-24423) maps to the Initial Access and Persistence and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for SmarterMail Missing Authentication for Critical Function (CVE-2026-24423), covering the data sources and telemetry it touches: IIS Logs, Azure Application Gateway Logs, Windows Event Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  W3CIISLog
  | where csUriStem has_any ("/api/", "/admin/", "/settings/", "/interface/", "/services/")
  | where csMethod in ("POST", "PUT", "DELETE", "PATCH")
  | where isempty(csUsername) or csUsername == "-"
  | where scStatus in (200, 201, 204, 302)
  | extend AuthBypass = true
),
(
  AzureDiagnostics
  | where ResourceType == "APPLICATIONGATEWAYS"
  | where requestUri_s has_any ("/api/", "/admin/", "/settings/", "/interface/")
  | where httpMethod_s in ("POST", "PUT", "DELETE")
  | where userAgent_s !has "Mozilla" or isempty(userAgent_s)
)
| extend SmarterMailServer = Computer
| project TimeGenerated, SmarterMailServer, csClientIP, csUriStem, csMethod, scStatus, csUsername, csUserAgent
| where TimeGenerated > ago(1h)

Detects unauthenticated HTTP requests to SmarterMail critical API and administrative endpoints. Focuses on state-changing methods (POST/PUT/DELETE) with missing or null authentication context returning success status codes.

critical severity medium confidence

Data Sources

IIS Logs Azure Application Gateway Logs Windows Event Logs

Required Tables

W3CIISLog AzureDiagnostics

False Positives

  • Health check services or monitoring tools polling SmarterMail endpoints without authentication headers
  • Internal automation scripts that access SmarterMail APIs using service accounts that may log differently
  • Misconfigured reverse proxies that strip authentication headers before forwarding to SmarterMail

Sigma rule & cross-platform mapping

The detection logic for SmarterMail Missing Authentication for Critical Function (CVE-2026-24423) (CVE-2026-24423) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-24423 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-24423

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated GET to SmarterMail Admin API Endpoint

    Expected signal: IIS access log entry with csUsername='-', cs-method=GET, sc-status=200, cs-uri-stem=/api/v1/settings/sysadmin/general

  2. Test 2Unauthenticated POST to SmarterMail User Creation Endpoint

    Expected signal: IIS log: csMethod=POST, csUriStem=/api/v1/settings/sysadmin/users, csUsername=-, scStatus=200 or 201. SmarterMail app log: new user creation event for [email protected]

  3. Test 3Unauthenticated SmarterMail Mail Forwarding Rule Injection

    Expected signal: IIS log entry: POST to /api/v1/settings/sysadmin/users/[email protected]/forwardingRules with csUsername='-' and scStatus=200. SmarterMail audit log: forwarding rule added for [email protected] pointing to external domain.

Unlock Pro Content

Get the full detection package for CVE-2026-24423 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1548Abuse Elevation Control Mechanism

Same Tactic: Initial Access

Popular Detections