SmarterTools recently disclosed a breach that occurred as a result of vulnerabilities the company addressed last month. The software company’s product was compromised by Warlock, a ransomware group that first emerged last year.
CVE-2026-24423 is an unauthenticated remote-code execution vulnerability in the ConnectToHub API method of mail server SmarterMail. The vulnerability enables an attacker to point a SmarterMail instance to a malicious HTTP server managed by the threat actor; that server can then deliver malicious commands. It was disclosed alongside CVE-2026-23760, which is an authentication bypass vulnerability that can enable an unauthenticated attacker to force a password reset on a system administrator account. This enables full compromise of the SmarterMail instance.
Both bugs have critical CVSS severity scores of 9.3, and both were addressed in SmarterMail release 9511 on Jan. 15.
These vulnerabilities were used to compromise SmarterTools, which sells SmarterMail. SmarterTools chief operating officer Derek Curtis published a blog post last week detailing how the company suffered and responded to the data breach, which occurred on Jan. 29.
According to the executive, SmarterTools had 30 servers and virtual machines with SmarterMail installed throughout its network, but it was unaware of one that was not being updated. It was that one vulnerable server that led to the breach.
Some of the company’s SmarterMail customers were also hit as a result of the attack. The company said all customers should update to a fixed version of its software immediately and use indicators of compromise (included in the blog) to investigate signs of a possible breach.
Fallout of the SmarterTools Breach
Curtis explained that the company isolates its networks in the event of a breach, and as a result, many services remained online during incident response. No business applications or account data were affected either, he wrote.
It was primarily SmarterTools’ office network that was compromised, as well as a data center used for lab and quality control work. “At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory,” Curtis said. “We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.”
Twelve Windows servers on its network “looked to be compromised,” and on these servers, virus scanners blocked most efforts. None of the company’s Linux servers, which make up the majority of its servers, were impacted.
As part of its incident response effort, SmarterTools shut off all servers at both locations and disabled all Internet access, pending an evaluation. The company restructured its networks, eliminating Windows where possible and no longer using Active Directories. It also reset all network passwords. SmarterTools praised Sentinel One for its role in the response process, including in detecting vulnerabilities and preventing encryption, a detail that suggests ransomware may have been involved.
“As of now, there are no major known security issues with SmarterMail,” Curtis wrote. “In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it — with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.”
Dark Reading asked SmarterTools about some of its lessons learned from the breach, but the company had not responded at press time.
Threat Actors Target SmarterMail Customers
SmarterMail’s customers are SMBs and enterprises that rely on its server as an alternative to Microsoft Exchange. While traditional Microsoft Exchange on-premise deployments have had their share of bad vulnerabilities, CVE-2026-24423 and CVE-2026-23760 extend beyond SmarterTools alone.
Curtis said China-based ransomware actor the Warlock Group compromised the company, and it has “observed similar activity on customer machines.” Once the threat actor gains access, it installs files and waits up to a week before taking further action.
As he put it, some customers experienced a breach despite updating because the initial breach happened earlier than visible evidence might have suggested. “They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data,” the blog post read. The Warlock Group is believed to target primarily Windows environments.
It’s not every day that a technology vendor gets compromised through a vulnerability in its own product, but as SmarterTools shows, it’s possible. Organizations should consider taking regular inventory of their SmarterMail deployments, as well as employing follow-on hardening measures such as network segmentation.
