Overview
- Researchers report attackers began resetting administrator passwords via the /api/v1/auth/force-reset-password endpoint within two days of the January 15 Build 9511 release.
- The unauthenticated endpoint accepts attacker‑controlled JSON with an IsSysAdmin flag that, when set to true, resets a chosen admin’s password without verifying the old one.
- With admin access, the Volume Mount Command feature can run operating system commands, enabling SYSTEM‑level remote code execution on affected servers.
- SmarterTools says Build 9511 blocks the exploit by adding password validation checks, yet the issue still has no assigned CVE.
- After criticism of vague release notes, CEO Tim Uzzanti said the company will start emailing administrators when new CVEs are discovered and when builds that resolve them are released.