SmarterTools Network Breached via Unpatched SmarterMail Vulnerability
Take action: When developing a product, always make sure to patch your own product instances. Because you are just as exposed, and you don't have a lot of reasonable arguments not to patch.
Learn More
SmarterTools, the developer of the SmarterMail email server, confirmed a network breach on January 29, 2026. The incident was caused by the Warlock ransomware group (Storm-2603 or Gold Salem) exploiting an unpatched SmarterMail virtual machine (VM) that an employee had set up but failed to update.
The exploited vulnerability is tracked as CVE-2026-23760 (CVSS score 9.3), an authentication bypass vulnerability in SmarterMail versions before Build 9518. After gaining access, the group used the software's built-in 'Volume Mount' feature to take control of the system. They moved through the network using Active Directory and deployed tools such as Velociraptor, SimpleHelp, and older versions of WinRAR to maintain persistence and prepare for data encryption.
The compromised data and systems include:
- 12 Windows servers on the company's office network
- Secondary data center infrastructure used for laboratory tests and quality control
- Active Directory server configurations and user accounts
- Internal system files and laboratory hosting data
The number of affected individuals is not disclosed. SmarterTools claims that business applications and customer account data were not compromised. The attackers tried to deploy ransomware but SentinelOne security software blocked the final payload, preventing the encryption of files.
SmarterTools isolated the affected networks and restored systems from backups. The company removed Windows from its internal networks and stopped using Active Directory services to reduce its attack surface. They also forced a network-wide password reset and notified relevant authorities.
