CVE-2026-24423 Google Chronicle · YARA-L

Detect SmarterMail Missing Authentication for Critical Function (CVE-2026-24423) in Google Chronicle

Detects exploitation of CVE-2026-24423, a missing authentication vulnerability (CWE-306) in SmarterTools SmarterMail. This KEV-listed vulnerability allows unauthenticated attackers to access critical functions in SmarterMail, potentially enabling unauthorized administrative access, data exfiltration, or further lateral movement. Detection focuses on unauthenticated access patterns to administrative and critical API endpoints.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule smartermail_missing_auth_cve_2026_24423 {
  meta:
    author = "df00tech Detection Platform"
    description = "Detects unauthenticated access to SmarterMail critical endpoints (CVE-2026-24423)"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://www.cve.org/CVERecord?id=CVE-2026-24423"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = /POST|PUT|DELETE|PATCH/
    $e.network.http.referral_url = /smartermail|smarter\.mail/i or
    $e.target.url = /\/api\/|\/admin\/|\/settings\/|\/interface\//
    not $e.network.http.user_agent = /""/
    ($e.principal.user.userid = "-" or not $e.principal.user.userid != "")
    $e.network.http.response_code in (200, 201, 204, 302)

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule detecting unauthenticated HTTP requests to SmarterMail administrative and API endpoints with successful response codes indicating potential CVE-2026-24423 exploitation.

Data Sources

Chronicle UDM HTTP EventsWeb Proxy Logs ingested to Chronicle

Required Tables

NETWORK_HTTP UDM events

False Positives & Tuning

  • Legitimate service accounts accessing SmarterMail APIs that appear unauthenticated in UDM due to token-based auth not mapped to user fields
  • Internal network probes or synthetic monitoring tools polling SmarterMail endpoints
  • Third-party email clients or connectors using alternative authentication flows not captured in HTTP UDM events

Other platforms for CVE-2026-24423

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated GET to SmarterMail Admin API Endpoint

    Expected signal: IIS access log entry with csUsername='-', cs-method=GET, sc-status=200, cs-uri-stem=/api/v1/settings/sysadmin/general

  2. Test 2Unauthenticated POST to SmarterMail User Creation Endpoint

    Expected signal: IIS log: csMethod=POST, csUriStem=/api/v1/settings/sysadmin/users, csUsername=-, scStatus=200 or 201. SmarterMail app log: new user creation event for [email protected]

  3. Test 3Unauthenticated SmarterMail Mail Forwarding Rule Injection

    Expected signal: IIS log entry: POST to /api/v1/settings/sysadmin/users/[email protected]/forwardingRules with csUsername='-' and scStatus=200. SmarterMail audit log: forwarding rule added for [email protected] pointing to external domain.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-24423 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1548Abuse Elevation Control Mechanism

Same Tactic: Initial Access

Popular Detections