Unauthenticated RCE in SmarterTools SmarterMail ConnectToHub API

Repository purpose: a minimal proof-of-concept to reproduce CVE-2026-24423 in SmarterMail’s ConnectToHub workflow by standing up an attacker-controlled “Hub” HTTP service and then triggering the victim’s unauthenticated connect-to-hub API so the victim SSRFs to the hub and consumes a malicious JSON response. Structure: - CVE-2026-24423.py: Python3 HTTP server (http.server) that listens on 0.0.0.0:80 and only responds to POST /web/api/node-management/setup-initial-connection. It logs the received request body and returns a crafted JSON object containing fields like ClusterID/SharedSecret and, critically, SystemMount with MountPath "C:\\" and CommandMount "whoami > C:\\whoami.txt". This models the trust-boundary violation where the victim treats hub-provided configuration as authoritative and performs system-level actions. - README.md: Explains the vulnerability chain (unauthenticated admin interface + SSRF to attacker hub + hub response used for local operations → potential RCE). Provides a sample request to POST /api/v1/settings/sysadmin/connect-to-hub with hubAddress pointing to the attacker server. Exploit capabilities: - Acts as the attacker-controlled hub endpoint to deliver a malicious configuration payload. - Demonstrates a command-execution outcome (example Windows command writing whoami output to C:\\whoami.txt) if the target is vulnerable. Notes: - This repo does not include an automated client to send the trigger request; it relies on manual tooling (Burp/Yakit) per README. - The payload is hardcoded and Windows-oriented (C:\\ paths, cmd redirection).