SmarterTools has confirmed a significant security breach within its network, attributed to the Warlock ransomware group. The intrusion occurred on January 29, 2026, stemming from an unpatched SmarterMail server, a vulnerability within the company's own product. While critical services like the website and customer portals remained unaffected, the attack impacted internal Windows servers and a secondary data center, affecting hosted SmarterTrack customers.

Key Takeaways

• SmarterTools experienced a ransomware attack by the Warlock group due to an unpatched SmarterMail server.

• The breach occurred on January 29, 2026, exploiting vulnerabilities like CVE-2026-23760 and CVE-2026-24423.

• While customer-facing services were protected, internal systems and hosted SmarterTrack environments were impacted.

• SmarterTools has since taken steps to restructure its network and enforce security measures.

The Attack Vector

The breach originated from a single, unupdated SmarterMail virtual machine that had been set up by an employee. This oversight allowed the Warlock group to gain initial access and subsequently move laterally across the network. The attackers reportedly waited several days after gaining access before deploying payloads and encrypting files, a tactic designed to evade detection and bypass patching efforts.

Vulnerabilities Exploited

While SmarterTools did not initially specify the exact vulnerability, investigations point to the exploitation of critical flaws in SmarterMail. These include CVE-2026-23760, an authentication bypass vulnerability allowing password resets, and CVE-2026-24423, which enables unauthenticated remote code execution (RCE). Both vulnerabilities have been patched by SmarterTools in recent builds, with CVE-2026-24423 being flagged by CISA as actively exploited in ransomware campaigns.

Impact and Response

The attack affected approximately a dozen Windows servers on the company's office network and a secondary data center used for quality control. Hosted customers using SmarterTrack were also impacted, as that environment was more accessible once the attackers breached the main network. SmarterTools emphasized that its website, shopping cart, and account portal were not compromised due to network segmentation. In response, the company has restructured its internal network, eliminated Windows systems where possible, removed Active Directory services, and enforced complete password resets.

Recommendations for Users

SmarterTools urges all users of its SmarterMail product to upgrade to the latest version immediately to ensure protection against these vulnerabilities. The company also advises isolating mail servers to prevent lateral movement and to review antivirus configurations for compatibility. The incident serves as a stark reminder of the importance of timely patching, even for the software vendors themselves.

Sources

• Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server, The Hacker News.

• SmarterTools suffers security breach by the Warlock ransomware group, CyberInsider.

• SmarterTools Hit by Ransomware via Vulnerability in Its Own Product, SecurityWeek.

• SmarterMail vulnerabilities exploited in ransomware campaigns, SC Media.

• Risky Bulletin: SmarterTools hacked via its own product, Risky Biz.