Exploiting the System: How Hackers Infiltrated SmarterTools Network through Software Vulnerabilities

SmarterTools Network Breached by Hackers Utilizing Flaw in Own Software

Last week, SmarterTools confirmed that the Warlock ransomware gang successfully breached their network by exploiting a vulnerability in an email system. Fortunately, this breach did not have any impact on business applications or account data.

Derek Curtis, the Chief Commercial Officer of the company, revealed that the breach took place on January 29 through a single SmarterMail virtual machine (VM) that was set up by an employee.

“Prior to the breach, we had around 30 servers/VMs with SmarterMail installed across our network,” Curtis explained.

Unfortunately, the company was unaware of one VM that was not being updated, leading to its compromise and subsequent breach.

While customer data remained untouched by the breach, 12 Windows servers within the company’s office network and a secondary data center used for testing and hosting were compromised.

The attackers were able to move laterally through the network via Active Directory, utilizing Windows tools and persistence methods. However, the Linux servers, which make up the majority of the company’s infrastructure, were not affected.

The vulnerability that was exploited in the attack was CVE-2026-23760, an authentication bypass flaw in SmarterMail prior to Build 9518, enabling the attackers to reset administrator passwords and gain full privileges.

SmarterTools identified the attackers as the Warlock ransomware group, which has also targeted customer machines with similar tactics.

The ransomware operators waited a week after gaining initial access before initiating the encryption of reachable machines. Fortunately, Sentinel One security products intervened, preventing encryption, and the affected systems were restored from backups.

The attackers used tools such as Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, along with startup items and scheduled tasks for persistence.

Cisco Talos previously reported that the threat actors were exploiting the open-source DFIR tool Velociraptor.

In October 2025, Halcyon cybersecurity linked the Warlock ransomware gang to a Chinese nation-state actor identified as Storm-2603.

A recent report from ReliaQuest has confirmed the connection between the activity and Storm-2603 with moderate-to-high confidence.

“While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 utilizes the software’s ‘Volume Mount’ feature to gain complete system control,” ReliaQuest stated.

ReliaQuest also detected probes for CVE-2026-24423, another SmarterMail flaw actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

Administrators are strongly advised to upgrade to Build 9511 or later to address all recent vulnerabilities in the SmarterMail product.

Modern IT infrastructure moves faster than manual workflows can handle.

Learn how your team can reduce hidden manual delays, improve reliability through automated response, and build intelligent workflows on top of existing tools in the new Tines guide.

Get the guide