SMARTERTOOLS disclosed that the Warlock ransomware group breached its network by exploiting an unpatched SmarterMail instance, with the incident occurring on 29 January 2026. The attack compromised about 12 Windows servers on the office network and a secondary QC data centre, and affected hosted customers using SmarterTrack, according to Tim Uzzanti and Derek Curtis from SmarterTools.
The company noted that the breach did not impact its website, shopping cart, My Account portal, or other business applications or data. The attackers gained initial access, waited a couple of days to take control of the Active Directory server, created new users, and dropped payloads such as Velociraptor and a ransomware locker, with activity observed as an “attempted ransomware attack” by the CEO.
Multiple SmarterMail vulnerabilities are being exploited in the wild, including CVE-2025-52691, CVE-2026-23760 and CVE-2026-24423, and SmarterTools referenced that CVE-2026-24423 was being exploited in ransomware attacks per CISA. ReliaQuest said activity likely linked to Warlock involved abusing CVE-2026-23760 to bypass authentication and stage the ransomware payload, including downloading Velociraptor via a malicious MSI from Supabase to maintain access, according to ReliaQuest’s report. SmarterMail has since been patched to Build 9511, with further guidance to upgrade to Build 9526 for stronger protection.