The server compiles the injected C# code on the fly, and the attacker has a SYSTEM-level shell on the mail server.

SmarterMail builds below 6985 expose a secondary administrative service on . This port listens publicly ( 0.0.0.0:17001 ) by default. It exposes three native .NET Remoting endpoints used for internal application communication: /Servers /Mail /Spool Insecure Deserialization (CVE-2019-7214)

(the highest level of administrative control on a Windows server). Exploit Availability : Public exploit code and a Metasploit module exploit/windows/http/smartermail_rce ) are widely available. Verification

Unexplained or sudden inbound network activity hitting TCP Port 17001 from non-internal source addresses.

A common method to exploit this vulnerability is through the , which includes a dedicated module for SmarterMail RCE, specifically targeting builds before 6985. Module: exploit/windows/http/smartermail_rce

Identified by VulnCheck and assigned to four independent researchers, this vulnerability allows unauthenticated remote code execution through the ConnectToHub API. It affects builds (patched January 15, 2026). The vulnerable endpoint is /api/v1/settings/sysadmin/connect-to-hub . This endpoint does not require authentication and configures the mounted path of the server. The attacker controls the remote server, and the CommandMount parameter allows arbitrary command execution. The server then requests /web/api/node-management/setup-initial-connection from the attacker‑controlled server, receives a JSON object with the CommandMount parameter, and executes those commands on all supported platforms [10†L4-L11] [10†L15-L27].

If you are running (including all 16.x, 15.x, and early 100.x builds), you are vulnerable.

A successful attack grants the intruder the ability to execute arbitrary OS commands with the privileges of the SmarterMail service.

POST /svc/ServiceController.svc/ExecuteBackupCommand HTTP/1.1 Host: mail.victim.com:9998 Content-Type: application/json Content-Length: 1270