SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.
The incident took place on January 29, 2026, when a mail server that was not updated to the latest version was compromised, the company's Chief Commercial Officer, Derek Curtis, said.
"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained. "Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach."
However, SmarterTools emphasized that the breach did not affect its website, shopping cart, My Account portal, and several other services, and that no business applications or account data were affected or compromised.
About 12 Windows servers on the company's office network, as well as a secondary data center used for quality control (QC) tests, are confirmed to be affected. According to its CEO, Tim Uzzanti, the "attempted ransomware attack" also impacted hosted customers using SmarterTrack.
"Hosted customers using SmarterTrack were the most affected," Uzzanti said in a different Community Portal threat. "This was not due to any issue within SmarterTrack itself, but rather because that environment was more easily accessible than others once they breached our network."
Furthermore, SmarterTools acknowledged that the Warlock group waited for a couple of days after gaining initial access to take control of the Active Directory server and create new users, followed by dropping additional payloads like Velociraptor and the locker to encrypt files.
"Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action," Curtis said. "This explains why some customers experienced a compromise even after updating -- the initial breach occurred prior to the update, but malicious activity was triggered later."
It's currently not clear which SmarterMail vulnerability was weaponized by attackers, but it's worth noting that multiple flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) – have come under active exploitation in the wild.
CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request. CVE-2026-24423, on the other hand, exploits a weakness in the ConnectToHub API method to achieve unauthenticated remote code execution (RCE).
The vulnerabilities were addressed by SmarterTools in build 9511. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that CVE-2026-24423 was being exploited in ransomware attacks.
In a report published Monday, cybersecurity company ReliaQuest said it identified activity likely linked to Warlock that involved the abuse of CVE-2026-23760 to bypass authentication and stage the ransomware payload on internet-facing systems. The attack also leverages the initial access to download a malicious MSI installer ("v4.msi") from Supabase, a legitimate cloud-based backend platform, to install Velociraptor.
"While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software's built-in 'Volume Mount' feature to gain full system control," security researcher Alexa Feminella said. "Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware."
The security outfit also noted that the two vulnerabilities have the same net result: while CVE-2026-23760 grants unauthenticated administrative access via the password reset API, which can then be combined with the mounting logic to attain code execution, CVE-2026-24423 offers a more direct path to code execution through an API path.
The fact that the attackers are pursuing the former method is an indication that it likely allows the malicious activity to blend in with typical administrative workflows, helping them avoid detection.
"By abusing legitimate features (password resets and drive mounting) instead of relying solely on a single 'noisy' exploit primitive, operators may reduce the effectiveness of detections tuned specifically for known RCE patterns," Feminella added. "This pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fixes and developing working tradecraft shortly after release."
Users of SmarterMail are advised to upgrade to the latest version (Build 9526) with immediate effect for optimal protection, and isolate mail servers to block lateral movement attempts used to deploy ransomware.
