SmarterTools Breach Linked to Critical SmarterMail Vulnerabilities Exploited by Warlock Ransomware Group
SmarterTools, the vendor behind the SmarterMail email server, recently disclosed a breach stemming from two critical vulnerabilities in its own product. The flaws CVE-2026-24423 (an unauthenticated remote-code execution bug in the ConnectToHub API method) and CVE-2026-23760 (an authentication bypass enabling forced admin password resets) were patched in SmarterMail release 9511 on January 15, but not before being exploited by the China-based Warlock ransomware group.
The attack, which occurred on January 29, compromised SmarterTools’ internal network, including 12 Windows servers and a data center used for lab and quality control. While most Linux servers remained unaffected, the breach originated from a single unpatched SmarterMail instance among the company’s 30 deployed servers. The threat actors leveraged the vulnerabilities to redirect SmarterMail instances to a malicious server, execute commands, and eventually gain control of Active Directory installing files and waiting up to a week before deploying ransomware.
SmarterTools’ COO, Derek Curtis, confirmed that the company’s office network and a secondary data center were impacted, though business applications and customer data remained secure due to network isolation. The company responded by shutting down all servers, disabling internet access, and restructuring networks eliminating Windows dependencies where possible and resetting all passwords. SentinelOne assisted in detecting the intrusion and preventing encryption.
While no major security issues currently affect SmarterMail, Curtis acknowledged that some customers were breached before patches were applied, as initial compromises predated visible evidence. The Warlock group’s tactics included Active Directory takeover, lateral movement, and delayed ransomware execution, mirroring attacks observed on customer systems.
SmarterTools serves SMBs and enterprises as an alternative to Microsoft Exchange, making these vulnerabilities particularly high-risk. Both CVEs carry a critical CVSS score of 9.3, underscoring the severity of the flaws. The company has since committed to improved transparency in security communications, though it has not yet responded to inquiries about lessons learned. Customers were urged to update to the patched version and investigate potential breaches using provided indicators of compromise.
Source: https://www.darkreading.com/application-security/warlock-gang-breaches-smartertools-smartermail-bugs
SmarterTools cybersecurity rating report: https://www.rankiteo.com/company/smartertools
"id": "SMA1770688489",
"linkid": "smartertools",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'SMBs and enterprises using '
'SmarterMail (some breached '
'before patches applied)',
'industry': 'Technology (Email Server Software)',
'name': 'SmarterTools',
'type': 'Vendor/Software Provider'}],
'attack_vector': 'Exploitation of unpatched vulnerabilities (CVE-2026-24423, '
'CVE-2026-23760)',
'customer_advisories': 'Customers advised to apply patches and check for '
'indicators of compromise',
'data_breach': {'data_encryption': True},
'date_detected': '2024-01-29',
'description': 'SmarterTools, the vendor behind the SmarterMail email server, '
'recently disclosed a breach stemming from two critical '
'vulnerabilities in its own product. The flaws CVE-2026-24423 '
'(an unauthenticated remote-code execution bug in the '
'*ConnectToHub* API method) and CVE-2026-23760 (an '
'authentication bypass enabling forced admin password resets) '
'were patched in SmarterMail release 9511 on January 15, but '
'not before being exploited by the China-based Warlock '
'ransomware group. The attack compromised SmarterTools’ '
'internal network, including 12 Windows servers and a data '
'center used for lab and quality control. The threat actors '
'leveraged the vulnerabilities to redirect SmarterMail '
'instances to a malicious server, execute commands, and '
'eventually gain control of Active Directory before deploying '
'ransomware.',
'impact': {'brand_reputation_impact': 'High (critical vulnerabilities, '
'delayed patching, customer breaches)',
'operational_impact': 'Network shutdown, internet access disabled, '
'network restructuring',
'systems_affected': '12 Windows servers, internal network, data '
'center (lab and quality control)'},
'initial_access_broker': {'entry_point': 'Unpatched SmarterMail instance '
'(CVE-2026-24423, CVE-2026-23760)',
'high_value_targets': 'Active Directory'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (ransomware deployment)',
'post_incident_analysis': {'corrective_actions': ['Applied patches',
'Network restructuring',
'Eliminated Windows '
'dependencies',
'Password resets'],
'root_causes': ['Unpatched vulnerabilities '
'(CVE-2026-24423, CVE-2026-23760)',
'Delayed patching',
'Single unpatched SmarterMail '
'instance']},
'ransomware': {'data_encryption': True, 'ransomware_strain': 'Warlock'},
'recommendations': 'Improve transparency in security communications, ensure '
'timely patching, investigate potential breaches using '
'provided indicators of compromise',
'references': [{'source': 'SmarterTools Disclosure'}],
'response': {'communication_strategy': 'Urged customers to update to patched '
'version and investigate potential '
'breaches using indicators of '
'compromise',
'containment_measures': ['Shut down all servers',
'Disabled internet access',
'Network restructuring'],
'incident_response_plan_activated': True,
'network_segmentation': True,
'remediation_measures': ['Applied patches (SmarterMail release '
'9511)',
'Eliminated Windows dependencies where '
'possible',
'Reset all passwords'],
'third_party_assistance': 'SentinelOne (intrusion detection and '
'prevention)'},
'stakeholder_advisories': 'Customers urged to update to patched version and '
'investigate potential breaches',
'threat_actor': 'Warlock ransomware group',
'title': 'SmarterTools Breach Linked to Critical SmarterMail Vulnerabilities '
'Exploited by Warlock Ransomware Group',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2026-24423', 'CVE-2026-23760']}