Cybersecurity

Cyber: Warlock Ransomware Breaches Smartertools Through Unpatched...

2026-02-10 0 views admin
Cyber: Warlock Ransomware Breaches Smartertools Through Unpatched...

SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.

The incident took place on January 29, 2026, when a mail server that was not updated to the latest version was compromised, the company's Chief Commercial Officer, Derek Curtis, said.

"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained. "Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach."

However, SmarterTools emphasized that the breach did not affect its website, shopping cart, My Account portal, and several other services, and that no business applications or account data were affected or compromised.

About 12 Windows servers on the company's office network, as well as a secondary data center used for quality control (QC) tests, are confirmed to be affected. According to its CEO, Tim Uzzanti, the "attempted ransomware attack" also impacted hosted customers using SmarterTrack.

"Hosted customers using SmarterTrack were the most affected," Uzzanti said in a different Community Portal threat. "This was not due to any issue within SmarterTrack itself, but rather because that environment was more easily accessible than others once they breached our network."

Furthermore, SmarterTools acknowledged that the Warlock group waited for a couple of days after gaining initial access to take control of the Active Directory server and create new users, followed by dropping additional payloads like Velociraptor and the locker to encrypt files.

"Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action," Curtis said. "This explains why some customers experienced a compromise even after updating -- the initial breach occurred prior to the update, but malicious activity was triggered later."

It's currently not clear which SmarterMail vulnerability was weaponized by attackers, but it's worth noting that multiple flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) – have come under active exploitation in the wild.

CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request. CVE-2026-24423,

Source: The Hacker News

🏷️ Tags

breachvulnerabilitycveransomwareattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views