SmarterTools has confirmed that its network was breached by the Warlock ransomware gang, also known as Storm-2603, through an unpatched SmarterMail server. The incident occurred on January 29, 2026, after a mail server that had not been updated to the latest version was compromised, the company’s Chief Commercial Officer, Derek Curtis, said.
“Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” Curtis explained. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”
SmarterTools stressed that the intrusion did not affect its website, shopping cart, My Account portal, or several other services, and that no business applications or customer account data were compromised. Approximately 12 Windows servers within the company’s office network, along with a secondary data center used for quality control (QC) testing, were impacted. Tim Uzzanti, CEO of SmarterTools, noted that hosted customers using SmarterTrack experienced the most disruption. “This was not due to any issue within SmarterTrack itself, but rather because that environment was more easily accessible than others once they breached our network,” he explained.
The company also revealed that the attackers waited several days after gaining initial access to take control of the Active Directory server, create new users, and deploy additional payloads, including Velociraptor and a file locker to encrypt data.
“Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action,” Curtis said. “This explains why some customers experienced a compromise even after updating — the initial breach occurred prior to the update, but malicious activity was triggered later.”
It is not yet confirmed which specific SmarterMail vulnerability was exploited, but multiple flaws in the software have been actively targeted in the wild. These include CVE-2025-52691 (CVSS 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS 9.3).
CVE-2026-23760 is an authentication bypass flaw allowing attackers to reset the SmarterMail system administrator password through a specially crafted HTTP request. CVE-2026-24423 exploits a weakness in the ConnectToHub API to achieve unauthenticated remote code execution (RCE). Both vulnerabilities were addressed by SmarterTools in build 9511. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that CVE-2026-24423 has been actively exploited in ransomware campaigns.
According to cybersecurity firm ReliaQuest, activity likely linked to Warlock involved abusing CVE-2026-23760 to bypass authentication and stage ransomware payloads on exposed systems. The attack leveraged the initial access to download a malicious MSI installer (“v4.msi”) from Supabase, which installed Velociraptor, a legitimate digital forensics tool previously used by the group to maintain access.
“While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in ‘Volume Mount’ feature to gain full system control,” said security researcher Alexa Feminella. “Upon entry, the group installs Velociraptor to maintain access and set the stage for ransomware.”
Feminella further noted that although both CVE-2026-23760 and CVE-2026-24423 lead to similar outcomes, the attackers’ choice of the former suggests an effort to blend malicious activity with normal administrative workflows, evading detection.
“By abusing legitimate features (password resets and drive mounting) instead of relying solely on a single ‘noisy’ exploit primitive, operators may reduce the effectiveness of detections tuned specifically for known RCE patterns,” she added. “This pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fixes and developing working tradecraft shortly after release.” SmarterMail users are strongly advised to upgrade to the latest version (Build 9526) immediately and isolate mail servers to prevent lateral movement attempts and mitigate potential ransomware deployment.
