Physician, Heal Thyself: Warlock Ransomware Breaches SmarterTools Through Its Own SmarterMail Zero-Day

Breached Company

16 Feb 2026 — 13 min read

"If the people shipping the fix can miss it, nobody gets a free pass."
— Ryan Dewhurst, watchTowr Head of Threat Intelligence

There's a special kind of irony when a software company gets breached through vulnerabilities in its own product. It's the digital equivalent of a locksmith getting locked out of their house, or a security guard being robbed at their own station. But when that company develops email server software marketed as a secure Microsoft Exchange alternative, and attackers waltz in through an unpatched "forgotten" server running that exact software? That's not just ironic—it's a masterclass in everything that can go wrong when organizations fail to practice what they preach.

On January 29, 2026, SmarterTools—the Arizona-based company behind the popular SmarterMail email platform—became the latest high-profile victim of the Warlock ransomware group. The attack vector? Critical vulnerabilities CVE-2026-23760 and CVE-2026-24423 in SmarterMail itself, patched just 14 days earlier in Build 9511. The entry point? A rogue virtual machine that an employee had set up without IT oversight, running an outdated SmarterMail instance that never got the memo about those critical patches.

The result: approximately 12 Windows servers compromised, Active Directory taken over, over 1.2 million documents exfiltrated, and ransomware execution attempted across the environment—blocked only because Sentinel One intervened in time. For a company that runs "approximately 30 servers/VMs with SmarterMail installed," the failure to patch even one proved catastrophic.

This is the story of how the healers failed to heal themselves, what it means for the 6,000+ SmarterMail servers still vulnerable across the internet, and what every SmarterMail customer needs to do right now to avoid becoming the next victim.

The Breach: A Forgotten VM Becomes an Open Door

The Timeline of Failure

The SmarterTools breach follows a painfully predictable pattern—one that security professionals have warned about for decades. Shadow IT, that perennial organizational blind spot, struck again.

January 8, 2026: watchTowr Labs responsibly discloses CVE-2026-23760 (authentication bypass) and CVE-2026-24423 (remote code execution) to SmarterTools.

January 15, 2026: SmarterTools releases Build 9511, patching both critical vulnerabilities along with CVE-2025-52691 (a CVSS 10.0 arbitrary file upload flaw patched in an earlier build but newly assigned a CVE).

January 17, 2026: Security firms begin observing active exploitation in the wild. The race begins.

January 22, 2026: Huntress confirms mass automated exploitation of vulnerable SmarterMail instances. Shadowserver identifies over 6,000 likely vulnerable servers globally.

January 26, 2026: CISA adds CVE-2026-23760 to its Known Exploited Vulnerabilities (KEV) catalog.

January 29, 2026: Warlock ransomware operators breach SmarterTools' internal network through an unpatched VM.

February 5, 2026: CISA adds CVE-2026-24423 to KEV, explicitly marking it as "Exploited in ransomware attacks."

February 9, 2026: SmarterTools publicly discloses the breach.

The math is damning: SmarterTools had 14 days between releasing the patch and getting breached through the very vulnerability they patched. For a company with approximately 30 SmarterMail instances, they missed one—and one was enough.

The Anatomy of the Attack

Derek Curtis, SmarterTools' Chief Communications Officer, provided an unusually candid post-mortem in the company's community portal. The transparency is commendable; the revelations are sobering.

The initial access came through "a server that someone set up and forgot about"—a virtual machine running an outdated SmarterMail instance that had fallen through the cracks of the company's patching regime. This VM, invisible to IT governance, became the attackers' beachhead.

Once inside, the Warlock operators followed their established playbook:

Initial Access: Exploitation of CVE-2026-24423 (unauthenticated RCE) on the forgotten VM
Persistence: Installation of Velociraptor (a legitimate digital forensics tool repurposed for command-and-control) and SimpleHelp (a remote support tool providing persistent backdoor access)
Credential Harvesting: Mimikatz deployment to dump credentials from LSASS memory
Lateral Movement: PsExec and RDP abuse to pivot across approximately 12 Windows servers
Domain Takeover: Active Directory compromise, including creation of rogue admin accounts
Data Exfiltration: Over 1.2 million sensitive documents stolen—financial records, source code, internal corporate documents
Ransomware Deployment: Attempted encryption of systems, blocked by Sentinel One endpoint protection

The dwell time was approximately 6-7 days—a window during which attackers established deep persistence and staged their payloads for maximum impact. As Curtis noted, this timing explains a troubling pattern: "Some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later."

What Was Compromised (and What Wasn't)

SmarterTools was relatively fortunate—if "fortunate" is the right word for a company that just got breached through its own product.

Compromised:

~12 Windows servers on the office network
Secondary data center (QC/testing environment)
Hosted SmarterTrack customer environment
Active Directory infrastructure
Over 1.2 million documents exfiltrated

Not Compromised (according to SmarterTools):

Main website and shopping cart
My Account customer portal
Core business applications
Customer account data
Linux servers (the majority of infrastructure)

The saving graces were twofold: SmarterTools' infrastructure had largely migrated to Linux (where Warlock's Windows-focused ransomware couldn't execute), and Sentinel One successfully blocked ransomware encryption on the Windows systems that were hit.

Curtis's statement reveals the post-breach pivot: "Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected."

The lesson is clear: defense in depth works. Even when initial access is achieved, layered security controls can prevent catastrophic outcomes. But it's far better to not get breached in the first place.

The Threat Actor: Warlock Ransomware Group

Who is Warlock?

Warlock isn't just another ransomware operation—it's an emerging, sophisticated threat actor with suspected nation-state backing and a track record of targeting high-value enterprise software.

Aliases:

Warlock (primary self-designation)
GOLD SALEM (Secureworks Counter Threat Unit)
Storm-2603 (Microsoft Threat Intelligence)
Violet Typhoon (historical overlap in some vendor reporting)

Attribution: Microsoft assesses with "moderate confidence" that Storm-2603 is China-based. However, Sophos and other researchers note insufficient public evidence for definitive nation-state attribution. The group appears to operate financially motivated ransomware campaigns, potentially with state tolerance or backing—a model increasingly common among advanced threat actors who blur the lines between cybercrime and state operations.

Origin Story

Warlock first emerged in March 2025, rapidly establishing itself through aggressive exploitation of enterprise software vulnerabilities:

July 2025: The group gained prominence exploiting Microsoft SharePoint "ToolShell" vulnerabilities (CVE-2025-49704, CVE-2025-49706), demonstrating sophisticated capabilities against enterprise collaboration platforms.

August 2025: High-profile attacks on telecommunications giants—Orange Belgium (850,000 customer records compromised) and Colt Technology Services (~1 million documents exfiltrated)—established Warlock as a tier-one threat.

September-December 2025: Continued expansion across manufacturing, healthcare, education, and energy sectors, with 48+ victims listed on their leak site.

January 2026: Pivoted to targeting SmarterMail vulnerabilities, recognizing the attack surface presented by internet-facing email servers.

February 2026: The SmarterTools breach—compromising the vendor itself—represents the group's most ironic (and instructive) success to date.

Tactics, Techniques, and Procedures

Warlock's operational profile reveals a highly capable adversary with excellent tradecraft:

Initial Access:

Rapid exploitation of N-day vulnerabilities (often within days of patch release)
Focus on public-facing applications (SharePoint, SmarterMail, collaboration tools)
Mass scanning for unpatched internet-facing servers

Execution & Persistence:

ASPX web shells (spinstall0.aspx variations)
Abuse of legitimate administrative features (SmarterMail's Volume Mount, password reset APIs)
MSI installers via msiexec for payload delivery
Velociraptor: Legitimate DFIR tool repurposed for C2
SimpleHelp: Remote support software for persistent backdoor access
AK47 C2 Framework: Custom DNS and HTTP backdoors

Defense Evasion:

Antivirus Terminator: Custom tool using BYOVD (Bring Your Own Vulnerable Driver) technique
Deploys signed Antiy Labs driver (AToolsKrnl64.sys) to kill security processes
Living-off-the-land binaries (LOLBins) to blend with normal administrative activity

Impact:

Warlock/X2anylock ransomware deployment
Files encrypted with .warlock or .x2anylock extensions
Ransom notes: WARLOCK_DECRYPT.txt or How to decrypt my data.txt
Double extortion: encryption + data leak threats on dedicated leak site

Target Profile

Warlock demonstrates a clear preference for high-value targets with significant attack surface:

Sector	Notable Victims
Telecommunications	Orange Belgium, Colt Technology Services
Technology	SmarterTools
Manufacturing	Multiple undisclosed
Healthcare	Multiple undisclosed
Education	Higher education institutions
Energy	Power/utility organizations

Geographic Focus: Primarily North America, Europe, and South America, with emerging activity in LATAM markets.

The Vulnerabilities: CVE-2026-23760 and CVE-2026-24423

Understanding the technical details of these vulnerabilities is essential for defenders—and illuminating for anyone wondering how a software company gets breached through its own product.

CVE-2026-23760: The Authentication Bypass

Attribute	Value
CVSS Score	9.8 (Critical)
EPSS Score	55.52% (High probability of exploitation)
CWE	CWE-287 (Improper Authentication)
Affected Versions	SmarterMail builds prior to 9511
Fixed Version	Build 9511 (January 15, 2026)
Discoverer	watchTowr Labs

This is a textbook authentication bypass—the kind of vulnerability that makes security researchers simultaneously impressed and horrified. The flaw exists in SmarterMail's password reset API, specifically the force-reset-password endpoint.

The Problem:

The endpoint is accessible without prior authentication
When resetting the system administrator password, the API fails to verify:
- The existing/old password
- A valid password reset token
An attacker can supply:
- Target administrator username
- New desired password
- Any value for the old password (it's not validated)
The system accepts the request and overwrites the credentials

The Exploit:

POST /api/v1/settings/force-reset-password
Content-Type: application/json

{
  "username": "admin",
  "oldPassword": "literally-anything-works",
  "newPassword": "attacker-controlled-password"
}

That's it. A single HTTP request, no authentication required, and the attacker now controls the administrator account.

CVE-2026-24423: The Remote Code Execution

Attribute	Value
CVSS Score	9.3 (Critical)
Type	Unauthenticated Remote Code Execution
Mechanism	Exploits weakness in ConnectToHub API method
Fixed Version	Build 9511
KEV Status	Added February 5, 2026 ("Exploited in ransomware attacks")

This vulnerability provides a more direct path to code execution through the API, without requiring the multi-step abuse chain of CVE-2026-23760. While technical details are more closely held, security researchers confirm it allows unauthenticated attackers to execute arbitrary commands on vulnerable SmarterMail servers.

The Preferred Attack Chain

ReliaQuest's analysis of Storm-2603 operations reveals why attackers often prefer CVE-2026-23760 over the more direct CVE-2026-24423:

Step 1: Exploit CVE-2026-23760 to reset administrator password

Step 2: Login to SmarterMail web interface with new credentials

Step 3: Abuse Volume Mount feature to execute arbitrary commands

Volume Mount is designed for mounting network drives
Accepts command strings without sanitization
Commands run with SmarterMail service privileges

Step 4: Download malicious MSI (v4.msi) from Supabase cloud storage

Step 5: Install Velociraptor for command-and-control

Why this approach?

Password resets and drive mounting look like normal admin tasks
Less "noisy" than direct RCE exploit patterns
May evade detection by security tools tuned for known RCE signatures

As watchTowr noted in their analysis: attackers are increasingly sophisticated about blending malicious activity with legitimate administrative operations.

CVE-2025-52691: The Earlier Vulnerability

It's worth noting that these two CVEs weren't the first critical flaws in SmarterMail:

Attribute	Value
CVE ID	CVE-2025-52691
CVSS Score	10.0 (Maximum)
Type	Unauthenticated Arbitrary File Upload → RCE
CWE	CWE-434 (Unrestricted Upload)
Fixed Version	Build 9413 (December 2025)

This vulnerability allowed attackers to upload malicious files to any server location, enabling webshell deployment and RCE. While patched earlier, it contributed to the overall attack surface and the attention threat actors paid to SmarterMail.

The Exposure: 6,000+ Vulnerable Servers and Counting

If the SmarterTools breach were an isolated incident, it would be merely embarrassing. But multiple security scans reveal the true scope of the problem: thousands of SmarterMail servers remain vulnerable across the internet, presenting a target-rich environment for ransomware operators.

Exposure Statistics

Source	Date	Vulnerable Instances
Shadowserver	Late January 2026	6,000+ likely vulnerable
Yutaka Sejiyama (Macnica)	Late January 2026	8,550+ vulnerable
Censys	January 2026	8,001 vulnerable (of 18,783 exposed)

Let those numbers sink in: 42.6% of all internet-exposed SmarterMail servers were still running vulnerable builds as of late January.

Geographic Distribution

Region	Approximate Count
North America	4,200+ (US dominant with ~5,000 instances)
Asia	~1,000
Europe	Significant exposure
UK	Notable concentration
Malaysia	Notable concentration

Why SmarterMail is an Attractive Target

SmarterMail's market position makes it inherently vulnerable to this type of attack:

Microsoft Exchange Alternative: Marketed to SMBs and enterprises seeking cheaper, simpler email solutions
Internet-Facing by Design: Webmail, SMTP, IMAP—the whole point is external accessibility
SMB Customer Base: Smaller organizations often have limited security resources
MSP/Hosting Provider Deployment: Many instances managed by third parties with variable security practices

Attack Volume

watchTowr's honeypots observed the exploitation intensity firsthand:

1,000+ exploitation attempts for CVE-2026-24423
Originating from 60 unique IP addresses
Consistent, steady attack pattern
Weekday-heavy (drops sharply on weekends, picks up Monday)

As watchTowr noted: "Activity drops sharply [on weekends] and then quickly picks up again at the start of the workweek. It appears mostly driven by operators during business hours."

The implication: this isn't automated commodity exploitation. These are organized operators running business-hours campaigns, systematically working through the list of vulnerable targets.

The Irony: Vendor Self-Compromise in Historical Context

The SmarterTools breach joins an ignominious list of security and software vendors who failed to protect themselves from the very threats their products are designed to address.

Key Ironic Elements

1. Product Expertise Gap: A company that develops email server software didn't maintain basic patching on their own email infrastructure.

2. Shadow IT Failure: An employee-created VM flew under IT radar, despite the company having "approximately 30 servers/VMs with SmarterMail installed."

3. Timing: The breach occurred just 14 days after SmarterTools released the patch for CVE-2026-24423.

4. Self-Contradiction: SmarterTools presumably understood the severity of these vulnerabilities—they had just patched them—yet failed to ensure all internal instances were updated.

Historical Precedents

Vendor	Year	Incident
Kaseya	2021	REvil ransomware exploited their VSA platform, compromising 1,500+ downstream businesses
SolarWinds	2020	Orion supply chain attack compromised 18,000+ organizations including US government
FireEye	2020	Breached by nation-state actors, red team tools stolen
RSA Security	2011	SecurID seeds stolen, compromising authentication across enterprises
LastPass	2022-23	Developer machine compromised, password vaults accessed
Avast	2019	Internal network compromised via VPN credential theft

The Universal Lesson

watchTowr's Ryan Dewhurst summarized it perfectly:

"If you're not already patched, you should probably assume you've been compromised. Even the vendor itself was caught off guard with an out-of-date server getting hit. If the people shipping the fix can miss it, nobody gets a free pass."

Security vendors face the same challenges as their customers—and are often higher-value targets precisely because of their access, reputation, and potential for supply chain impact. The SmarterTools breach demonstrates that expertise in building security products doesn't automatically translate to organizational security discipline.

Defense Recommendations: What SmarterMail Customers Must Do Now

If you're running SmarterMail anywhere in your environment, the following actions are not optional—they're survival requirements.

Immediate Actions (Do Today)

1. Patch Every Instance—Now

Upgrade all SmarterMail deployments to Build 9526 (latest) or minimum Build 9511.

Download: https://www.smartertools.com/smartermail/release-notes/current

CISA's deadline for federal agencies was February 16, 2026. If you're reading this after that date and haven't patched, you're already in the danger zone.

2. Assume Compromise If Previously Unpatched

If any SmarterMail instance was running builds prior to 9511 during January-February 2026, assume breach. The 6-7 day dwell time means attackers may have established persistence that survives patching.

Conduct forensic analysis focused on:

Unexpected administrator password resets in logs
MailService.exe spawning cmd.exe or powershell.exe
MSI package installations from unusual sources
Velociraptor or SimpleHelp service installations
New user accounts in Active Directory

3. Audit ALL Instances

Inventory every SmarterMail deployment across the organization—and this is the critical part: include shadow IT.

Check:

Production environments
Development/testing/QC systems
Employee-created VMs
Containers and ephemeral infrastructure
MSP/third-party managed deployments

The SmarterTools breach happened because one VM fell through the cracks. How many forgotten VMs are in your environment?

Network Hardening

1. Isolate Mail Servers

Place SmarterMail in DMZ/segmented network
Mail server compromise should NOT provide direct path to domain controllers
Implement strict firewall rules limiting internal network access
Mail servers don't need RDP access to file servers

2. Restrict Outbound Traffic

Allow only necessary mail protocols (SMTP 25/465/587, IMAP 143/993, POP3 110/995)
Block outbound connections to cloud hosting providers (Supabase, Workers.dev) unless explicitly required
Sever potential C2 channels before attackers can use them

API & Interface Hardening

1. Restrict Administrative Interfaces

Web-based admin console should NOT be internet-accessible
Implement IP allowlisting for administrative functions
Require VPN or internal network access for admin operations
Enable MFA on all administrative interfaces

2. Monitor API Activity

Deploy alerting for:

POST requests to /api/v1/settings/force-reset-password
ConnectToHub API calls from unexpected sources
Unusual Volume Mount operations
Any API calls from non-standard user agents

Detection & Hunting

Indicators of Compromise to Monitor:

Malicious Domains:

auth.qgtxtebl.workers[.]dev
vdfccjpnedujhrzscjtq.supabase[.]co
2-api.mooo[.]com
updatemicfosoft[.]com
microsfot[.]org

Suspicious IPs:

162.252.198.197
199.217.99.93
157.245.156.118
45.127.35.186
178.128.103.218

File Indicators:

v4.msi
Velociraptor.exe
SimpleHelp.exe
Remote.exe
*.warlock
*.x2anylock
WARLOCK_DECRYPT.txt
How to decrypt my data.txt

Behavioral Patterns:

MailService.exe → cmd.exe → msiexec.exe (process chain)
MSI downloads from cloud storage
Velociraptor service installations
Volume Shadow Copy deletions (vssadmin)
New admin accounts in Active Directory

Credential Security

1. Rotate Everything

Change all SmarterMail admin passwords immediately
Rotate domain admin and service account credentials
Force password changes for all accounts that accessed mail servers
Assume NTLM hashes were harvested if any Windows system was compromised

2. Implement MFA Everywhere

All administrative interfaces
Remote access (RDP, VPN)
Domain admin accounts
Service accounts where possible

Long-Term Architecture Changes

1. Consider Platform Decisions

SmarterTools' post-breach revelation is telling: "Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised... None of the Linux servers were affected."

Evaluate:

Windows vs. Linux deployment for mail infrastructure
Reducing Active Directory attack surface where possible
Container-based deployments with immutable infrastructure

2. Patch Management as Mission-Critical

Treat internet-facing server patching as emergency operations
Target 24-48 hours for critical vulnerability patches on external systems
Automated vulnerability scanning for all public-facing assets
No exceptions for "test" or "dev" systems if they're internet-accessible

3. Shadow IT Elimination

Implement continuous asset discovery
Network monitoring for unknown services
Regular audits of all virtual machines and containers
Clear policies on employee-created infrastructure

Conclusion: The Uncomfortable Truth

The SmarterTools breach isn't just a cautionary tale—it's a mirror. If the company that develops SmarterMail can get breached through an unpatched SmarterMail instance, what does that say about the thousands of organizations running this software without dedicated security teams?

The uncomfortable truth is this: security is an operational discipline, not a product feature. SmarterTools presumably knows more about SmarterMail security than anyone on the planet. They wrote the code. They understand the vulnerabilities intimately enough to patch them. Yet they still missed one server—and one server was enough for Warlock to compromise their entire Windows environment.

For the 6,000+ organizations still running vulnerable SmarterMail instances, the clock is ticking. Warlock operators are working business hours, systematically exploiting targets. The SmarterTools breach proves that even moderate defenses (Sentinel One blocking ransomware execution) can prevent catastrophic outcomes—but only if you patch before attackers establish persistence.

The lesson from SmarterTools' ordeal isn't that their software is insecure—it's that no organization is immune to the fundamentals. Asset inventory. Patch management. Shadow IT elimination. Network segmentation. These aren't exciting security initiatives. They don't make for compelling conference talks. But they're the difference between a manageable incident and an existential crisis.

If the people shipping the fix can miss it, nobody gets a free pass.

Patch today. Hunt tomorrow. Assume compromise if you waited.

References

The Hacker News - "Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server" (February 12, 2026)
BleepingComputer - "Hackers breach SmarterTools network using flaw in its own software" (February 9, 2026)
ReliaQuest - "Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware" (February 10, 2026)
SmarterTools Community Portal - Official Breach Summary by Derek Curtis (February 2026)
watchTowr Labs - "Attackers With Decompilers Strike Again: SmarterTools SmarterMail Auth Bypass" (January 2026)
CISA Known Exploited Vulnerabilities Catalog - CVE-2026-23760, CVE-2026-24423
Check Point Research - "Before ToolShell: Exploring Storm-2603's Previous Ransomware Operations" (July 2025)
Microsoft Security Blog - "Disrupting active exploitation of on-premises SharePoint vulnerabilities" (July 2025)
Shadowserver Foundation - Vulnerable SmarterMail Instance Tracking
SecPod - "Deep Dive: Inside the Warlock Ransomware Breach of SmarterTools" (February 2026)

This article is part of Breached Company's ongoing coverage of significant data breaches and security incidents affecting enterprise organizations. For real-time breach notifications, subscribe to our threat intelligence feed.