Authentication Bypass in SmarterTools SmarterMail Password Reset API

This repository contains a small, focused Python proof-of-concept exploit for an unauthenticated SmarterTools SmarterMail authentication bypass identified as WT-2026-0001 and also referenced in one script as CVE-2026-23760. The repository structure is simple: top-level legal/disclaimer documentation, a detailed exploit-specific subdirectory (WT-2026-0001/) containing a README and the main exploit script, plus a second standalone PoC script at the repository root. The main exploit logic is in WT-2026-0001/exploit.py. It defines a SmarterMailExploit class with three core actions: (1) check_vulnerability(), which sends a POST request to /api/v1/auth/force-reset-password using a crafted JSON body and interprets a successful JSON response as vulnerable; (2) exploit(), which sends a similar POST request but with the operator-supplied replacement password to reset the admin password; and (3) verify_login(), which only prints instructions for manual login verification at /login.aspx. The script uses requests.Session(), disables TLS certificate verification, sets browser-like headers, and supports CLI arguments for target URL, username, replacement password, and a check-only mode. The exploit capability is straightforward and actionable: it resets an administrator password without prior authentication by abusing the force-reset-password API and setting IsSysAdmin to true while supplying an arbitrary OldPassword value. This yields administrative access to the SmarterMail web interface if the target is vulnerable. The exploit itself does not automate remote code execution, persistence, or lateral movement. However, the included documentation explicitly states that admin access can be followed by abuse of SmarterMail's Volume Mount functionality for command execution, making the password reset a stepping stone to full compromise. The secondary script, smartermail_poc.py, is a shorter standalone variant of the same attack. It performs a single POST request to the same endpoint with similar JSON fields and prints the response. It lacks the more structured vulnerability-check workflow of the main exploit but confirms the same core capability. Overall, this is a real exploit repository rather than a detector-only project. It is best classified as OPERATIONAL: it contains working exploit code and an attacker-controlled payload element (new password), but it is not part of a larger exploitation framework and does not include modular post-exploitation automation.

Repository contains a single Python exploit script (exploit.py) plus README and requirements. Purpose: exploit SmarterMail via a two-step chain described as “Auth Bypass & RCE”. Step 1 abuses the API endpoint /api/v1/auth/force-reset-password by sending a JSON body with IsSysAdmin set to "true" to reset an arbitrary user’s password (default target user: admin). Step 2 logs in to /api/v1/auth/authenticate-user using the new password to obtain an accessToken. Step 3 uses that Bearer token to call /api/v1/settings/sysadmin/AddOrUpdateMount with attacker-controlled commandMount (and optional commandUnmount) to execute arbitrary OS commands on the server. Structure: - README.md: explains the chain, usage, and references a watchTowr Labs write-up (WT-2026-0001). - exploit.py: implements reset_password(), login(), and exp() functions; main() parses --url, --newpass, --cmd, --username and runs the chain automatically. - requirements.txt: requests and logfy. Notable implementation details: - Network-only exploit using HTTP POST requests with JSON bodies. - Uses Authorization: Bearer <token> for the RCE step. - The exp() function does not parse/return the response (fire-and-forget), so success is inferred by lack of exception rather than server confirmation. - Hardcodes old_password="old_pass" in reset_password(), implying the endpoint is expected to ignore/override old password validation when IsSysAdmin is true.