SmarterTools has confirmed that its internal network was compromised after the Warlock ransomware group, also known as Storm-2603, exploited an unpatched SmarterMail server. The security incident occurred on January 29, 2026, and was traced back to a single mail server that had not been updated to the latest secure build.
According to SmarterTools Chief Commercial Officer Derek Curtis, the company operated around 30 servers and virtual machines running SmarterMail across its infrastructure. One virtual machine, configured independently by an employee, was overlooked during update cycles and became the entry point for attackers.
Scope and Impact of the Breach
SmarterTools stated that critical services such as its official website, shopping cart, My Account portal, and core business applications were not impacted. The company also confirmed that no customer account data was compromised during the incident.
However, the attack did affect approximately 12 Windows servers within the corporate office network, along with a secondary data center used for quality control testing. CEO Tim Uzzanti further revealed that hosted customers using SmarterTrack experienced the most disruption, not due to flaws in SmarterTrack itself, but because attackers were able to move laterally once they gained internal network access.
Delayed Ransomware Deployment Tactics
Investigations showed that the attackers did not immediately deploy ransomware after gaining access. Instead, they waited several days before escalating privileges, taking control of the Active Directory server, and creating new user accounts. Additional malicious payloads, including Velociraptor and the ransomware locker, were then deployed to encrypt files.
Curtis explained that this delay caused confusion among some customers who updated their systems after the breach, as the initial compromise had already occurred but malicious actions were triggered later.
Exploited SmarterMail Vulnerabilities
While SmarterTools has not officially confirmed which vulnerability was used in the initial intrusion, several SmarterMail flaws have recently been observed under active exploitation. These include:
- CVE-2025-52691, CVSS score 10.0
- CVE-2026-23760, CVSS score 9.3
- CVE-2026-24423, CVSS score 9.3
CVE-2026-23760 allows attackers to bypass authentication and reset the system administrator password using a specially crafted HTTP request. CVE-2026-24423 exploits a weakness in the ConnectToHub API, enabling unauthenticated remote code execution.
These vulnerabilities were fixed in SmarterMail Build 9511. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that CVE-2026-24423 is actively being exploited in ransomware campaigns.
Warlock’s Attack Chain and Tradecraft
A report published by cybersecurity firm ReliaQuest identified activity linked to Warlock ransomware abusing CVE-2026-23760 on internet-facing systems. The attackers reportedly used the vulnerability to reset administrative credentials, then leveraged SmarterMail’s built-in Volume Mount feature to gain full system control.
The group also downloaded a malicious MSI installer named “v4.msi” from Supabase, a legitimate cloud backend service, to deploy Velociraptor and maintain persistence.
Security researchers noted that abusing legitimate administrative functions rather than relying on noisy exploit techniques helped attackers evade detection and blend into normal system activity.
Security Recommendations
ReliaQuest confirmed observing exploitation attempts shortly after patches were released, emphasizing the speed at which ransomware operators weaponize newly disclosed vulnerabilities.
SmarterTools strongly advises all SmarterMail users to immediately upgrade to Build 9526, which includes additional security hardening. Organizations are also urged to isolate mail servers and restrict lateral movement to reduce ransomware deployment risks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
