SmarterTools has confirmed that its internal network was breached by the Warlock ransomware group, also tracked as Storm-2603, after attackers exploited an unpatched instance of its SmarterMail email server software. The security incident occurred on January 29, 2026, and was traced back to a mail server that had not been updated to the latest available build. Company executives stated that while the intrusion resulted in limited operational disruption, several internal systems were affected, prompting an immediate investigation and remediation effort.
According to SmarterTools Chief Commercial Officer Derek Curtis, the breach stemmed from an overlooked virtual machine running SmarterMail that was not part of the company’s regular update cycle. At the time of the incident, SmarterTools operated approximately 30 servers and virtual machines with SmarterMail deployed across its environment. One VM, created by an employee and unknown to the IT and security teams, was left unpatched and became the initial entry point for the attackers. Curtis explained that once the vulnerable server was compromised, the threat actors were able to gain a foothold inside the network. SmarterTools stressed that critical customer-facing services, including its website, shopping cart, My Account portal, and multiple business applications, were not affected. The company also stated that no customer account data was accessed or compromised during the incident.
The scope of the attack primarily impacted around 12 Windows servers within the company’s office network, along with systems in a secondary data center used for quality control testing. SmarterTools CEO Tim Uzzanti noted that hosted customers using SmarterTrack experienced the most disruption. He clarified that this was not due to any inherent vulnerability in SmarterTrack itself, but rather because the environment hosting that service became more accessible once attackers moved laterally through the network. Investigators determined that the Warlock group remained dormant for several days after initial access, a tactic commonly observed in ransomware operations. During this period, the attackers escalated privileges by taking control of the Active Directory server, creating new user accounts, and deploying additional tools such as Velociraptor before executing the ransomware payload that encrypted files across targeted systems. Curtis noted that this delay explains why some customers experienced issues even after applying updates, as the compromise had occurred prior to remediation.
While SmarterTools has not confirmed which specific vulnerability was used in the breach, several critical SmarterMail flaws have been under active exploitation. These include CVE-2025-52691, rated with a CVSS score of 10.0, and two high severity issues, CVE-2026-23760 and CVE-2026-24423, both scored at 9.3. CVE-2026-23760 allows attackers to bypass authentication and reset administrator passwords through a specially crafted HTTP request, while CVE-2026-24423 enables unauthenticated remote code execution via a weakness in the ConnectToHub API. SmarterTools addressed these flaws in build 9511, and U.S. Cybersecurity and Infrastructure Security Agency has since confirmed active exploitation of CVE-2026-24423 in ransomware campaigns. Separately, cybersecurity firm ReliaQuest reported identifying Warlock-linked activity abusing CVE-2026-23760 to stage ransomware payloads, including the download of a malicious MSI installer from Supabase to deploy Velociraptor. Researchers noted that the group’s use of legitimate administrative features allowed the attack to blend in with normal activity, reducing the likelihood of detection. SmarterTools has urged all SmarterMail users to immediately upgrade to the latest build 9526 and isolate mail servers to limit lateral movement risks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
