SmarterTools recently disclosed that the Warlock ransomware group, also known as Storm-2603, successfully infiltrated its network by taking advantage of a vulnerability in an unpatched SmarterMail server. The breach occurred on January 29, 2026, when an outdated mail server was compromised, as confirmed by Derek Curtis, the company’s Chief Commercial Officer.
Details of the Security Breach
According to Curtis, the company operated approximately 30 servers and virtual machines with SmarterMail installed. The breach was traced back to a virtual machine that had not been updated, which was set up by an employee. This oversight led to the compromise of the mail server and subsequent network breach. Despite this, SmarterTools assured that critical services such as their website, shopping cart, and account portal remained unaffected.
The attack impacted about 12 Windows servers and a secondary data center used for quality control. Tim Uzzanti, CEO of SmarterTools, noted that the ransomware primarily affected hosted customers using SmarterTrack, not due to any inherent flaw in SmarterTrack, but because the environment was less secure once the network was breached.
Vulnerability Exploitation and Impact
Warlock ransomware operators reportedly waited several days after gaining initial access to the network before seizing control of the Active Directory server, creating new users, and deploying additional malicious payloads like Velociraptor to encrypt files. Curtis explained that this delay in malicious activity led to some customers experiencing compromises despite updates being applied, as the initial breach had occurred earlier.
While the exact SmarterMail vulnerability exploited remains unidentified, known vulnerabilities such as CVE-2025-52691, CVE-2026-23760, and CVE-2026-24423 have been actively exploited. CVE-2026-23760, an authentication bypass flaw, and CVE-2026-24423, which allows remote code execution via the ConnectToHub API, were addressed in a recent software update.
Preventive Measures and Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the CVE-2026-24423 vulnerability is being leveraged in ransomware attacks. A report by cybersecurity firm ReliaQuest suggests that Warlock’s tactics involve abusing CVE-2026-23760 to stage the ransomware payload, including downloading a malicious MSI installer from Supabase for Velociraptor installation.
Security experts highlight that Warlock’s strategy of combining legitimate software features with vulnerabilities helps the attackers blend in with routine administrative operations, making detection more challenging. Users of SmarterMail are strongly encouraged to upgrade to the latest version (Build 9526) immediately and to isolate mail servers to prevent lateral movement of ransomware.
This incident underscores the critical need for regular software updates and vigilant network security practices to safeguard against evolving cyber threats.
