SmarterTools Breach via Unpatched SmarterMail Server Leading to Warlock Ransomware Attempt
SmarterTools confirmed it was breached after attackers exploited an unpatched instance of its SmarterMail email server inside the company’s environment. COO Derek Curtis said the intrusion occurred on January 29, 2026, when an employee-created VM running SmarterMail was not being updated; attackers used it as an entry point, then moved laterally across roughly 30 SmarterMail servers/VMs spanning the office network and a datacenter used for quality-control labs. The incident disrupted the company’s Portal support center, but SmarterTools said segmentation limited broader impact and that security tooling blocked the ransomware encryption attempt.
Reporting attributes the activity to the Warlock ransomware operation (also linked in some tracking to Gold Salem). SmarterTools did not publicly name the exploited flaw, but coverage points to CVE-2026-24423—a SmarterMail authentication bypass that can enable admin password resets—as the most likely initial vector; it was disclosed by watchTowr Labs, patched on January 15, and later added to CISA KEV with an “Exploited in ransomware attacks” designation. SmarterTools stated that only a subset of Windows systems appeared impacted (with Linux servers unaffected), and that business applications/account data were not compromised; post-incident actions included removing Windows from networks, discontinuing Active Directory, restoring some systems from recent backups, and rotating passwords.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
SmarterTools discloses the breach and begins post-incident hardening
SmarterTools publicly confirmed the January 29 breach, said some customers were affected, and urged users to update SmarterMail and review indicators of compromise. The company also reset passwords, reduced Windows usage, stopped using Active Directory, and restructured network segmentation after the incident.
CISA adds CVE-2026-24423 to the KEV catalog
CISA added CVE-2026-24423 to its Known Exploited Vulnerabilities catalog and flagged it as exploited in ransomware attacks. This elevated concern around SmarterMail exploitation and was cited in coverage of the SmarterTools breach.
Warlock ransomware attempt is contained and systems are restored
When the attackers moved toward ransomware actions, security controls including SentinelOne reportedly blocked encryption on reachable systems. SmarterTools isolated networks, shut down or disconnected servers, restored some systems from recent backups, and limited the impact to a subset of Windows infrastructure and support services.
Intruders move laterally across SmarterTools Windows environment
After initial access, the attackers spent several days expanding through SmarterTools' office network and quality-control data center, abusing Active Directory and deploying additional tooling such as Velociraptor and other Windows-focused utilities. Reports say about 12 Windows servers were compromised, while Linux systems were not affected.
Attackers breach SmarterTools through an unpatched SmarterMail VM
On January 29, attackers gained initial access to SmarterTools by exploiting an outdated, untracked SmarterMail virtual machine that had not been receiving updates. SmarterTools attributed the intrusion to the Warlock ransomware group, also tracked as Gold Salem and Storm-2603.
Mass exploitation of CVE-2026-24423 begins
watchTowr reported widespread exploitation attempts against CVE-2026-24423 starting January 28, with more than 1,000 attempts observed from roughly 60 IP addresses. The activity indicated active targeting of vulnerable SmarterMail systems before SmarterTools disclosed its own breach.
SmarterMail flaws CVE-2026-23760 and CVE-2026-24423 are patched
SmarterTools released SmarterMail build 9511 to fix two critical vulnerabilities: CVE-2026-23760, an authentication bypass enabling admin password resets, and CVE-2026-24423, a flaw later described as actively exploited. Multiple reports cite January 15, 2026 as the patch date.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server
thehackernews.com
Open sourceDeep Dive: Inside the Warlock Ransomware Breach of SmarterTools - SecPod Blog
secpod.com
Open sourceRisky Bulletin: SmarterTools hacked via its own product
news.risky.biz
Open sourceRansomware group breached SmarterTools via flaw in its SmarterMail deployment - Help Net Security
helpnetsecurity.com
Open sourceHackers breach SmarterTools network using flaw in its own software
bleepingcomputer.com
Open sourceWarlock Gang Breaches SmarterTools Via SmarterMail Bugs
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
**Ransomware activity is increasingly blending into normal IT operations** by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the **Crazy** ransomware gang where attackers deployed *Net Monitor for Employees Professional* and the *SimpleHelp* remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via `msiexec.exe` directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., `vshost.exe`) and paths such as `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`. In parallel, ransomware groups have been observed **actively exploiting recently patched SmarterTools SmarterMail vulnerabilities** that enable unauthenticated compromise of mail servers. SC Media reported that CISA added **CVE-2026-24423** to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s `ConnectToHub` API by delivering a malicious OS command from a remote server. A second issue, **CVE-2026-23760**, allows authentication bypass through the password reset API (`force-reset-password`) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as **Storm-2603**, which reportedly chained the bypass with SmarterMail’s *Volume Mount* feature to reach RCE, activity assessed as staging consistent with **Warlock** ransomware operations (even when ransomware was not yet deployed).
Mar 21, 2026
Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified **6,000+ SmarterTools SmarterMail** servers exposed online and likely vulnerable to **CVE-2026-23760**, a **critical authentication bypass** in the password reset API that enables **unauthenticated admin account takeover** and can lead to **remote code execution**. The flaw affects SmarterMail versions prior to **build 9511** and abuses the `/api/v1/auth/force-reset-password` (aka `force-reset-password`) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on **January 15, 2026** (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia. Multiple sources reported **active exploitation** shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious **System Events** to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (**CVE-2025-52691**), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
Mar 21, 2026
SmarterMail Flaws Expose Email Servers to Authentication Bypass and RCE
Multiple severe vulnerabilities in **SmarterMail** exposed internet-facing mail servers to compromise, including `CVE-2025-52691`, an unauthenticated arbitrary file upload flaw that can lead to immediate remote code execution, and `CVE-2026-23760`, an authentication bypass tied to the password reset API. Public reporting said `CVE-2025-52691` affected **Build 9406 and earlier**, carried a **CVSS 10.0** rating, and allowed attackers with network access to place files in arbitrary server locations and execute code with the privileges of the SmarterMail service. Advisories from Censys highlighted both issues, while a public GitHub proof-of-concept for `CVE-2026-23760` increased the risk of opportunistic exploitation. SmarterTools reportedly fixed the file upload vulnerability in **Build 9413**, with later builds available afterward, and security reporting warned that successful compromise of a mail gateway could expose customer email, credentials, and connected backend systems. The flaws were described as especially dangerous for hosting providers and organizations running exposed SmarterMail instances because they enable unauthenticated access paths that can quickly escalate to full server compromise.
May 25, 2026