An unpatched vulnerability in its own SmarterMail email server has led to a ransomware attack against IT management software company, SmarterTools. The breach occurred on January 29, significantly impacting the company’s office network and a data center responsible for quality control testing systems, the SmarterTools portal, and its Hosted SmarterTrack network.
Extent of the Security Breach
The attack did not extend to the company’s website, shopping cart, or My Account portal, as these services were hosted on a separate network. According to SmarterTools Chief Commercial Officer Derek Curtis, the hackers gained entry through a virtual machine running an outdated instance of SmarterMail. This allowed them to access Windows servers within the data center, ultimately compromising 12 servers.
In response to the breach, SmarterTools immediately powered down all servers at the affected locations and disabled internet access to thoroughly assess the situation. The company took swift actions, including removing as many Windows systems as possible and deactivating Active Directory services. Network-wide password resets were also implemented to bolster security.
Identifying the Attackers
The perpetrators of this cyber assault have been linked to the ransomware group known as Warlock, which surfaced in June 2025 and is suspected to operate from China. It is believed that the attackers exploited CVE-2026-24423, a critical remote code execution vulnerability with a CVSS score of 9.3. This flaw, along with two others—CVE-2026-23760 and CVE-2025-52691—was addressed in a security patch released on January 15.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had recently issued a warning about CVE-2026-24423 being leveraged in ransomware attacks, which likely referenced the incident involving SmarterTools and possibly other compromised customers.
Recommendations and Precautions
To mitigate further risk, SmarterTools strongly advises its customers to update to the latest SmarterMail version without delay. Curtis highlighted the importance of installing build 9526, released on January 22, which provides enhancements to the previous security fixes. Ensuring installations are up-to-date is challenging but crucial, as even minor updates can prevent significant issues like denial-of-service attacks that can overburden server resources.
This incident underscores the need for robust cybersecurity practices and timely updates to safeguard systems against ever-evolving threats. It also serves as a reminder for organizations to regularly review and enhance their security measures to protect against potential vulnerabilities.
Related stories include recent attacks exploiting vulnerabilities in various software, emphasizing the persistent threat of cyberattacks in the IT landscape.
