IT management software company SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server.
The incident occurred on January 29 and impacted the company’s office network and a data center hosting quality control testing systems, SmarterTools’ portal, and its Hosted SmarterTrack network.
The company’s website, shopping cart, My Account portal, and other services were not affected, as they were hosted on a different network.
The point of entrance, SmarterTools CCO Derek Curtis has revealed, was a VM running an unpatched instance of the company’s SmarterMail product. Hackers compromised the mail server and moved laterally to the Windows servers they could find on the data center, compromising 12 of them.
“When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe,” Curtis explained.
Because the hackers only targeted Windows systems, SmarterTools eliminated as many as it could and removed Active Directory services from its environment, while resetting passwords across the network.
The attack, Curtis said, was perpetrated by a ransomware group known as Warlock, which emerged in June 2025 and is believed to be operating out of China.
The hackers likely exploited CVE-2026-24423 (CVSS score of 9.3), an unauthenticated remote code execution (RCE) vulnerability that was patched on January 15 along with two other exploited flaws, namely CVE-2026-23760 and CVE-2025-52691.
Last week, the US cybersecurity agency CISA warned that CVE-2026-24423 had been exploited in ransomware attacks, without detailing the observed exploitation.
With SmarterTools saying that the Warlock gang has compromised some of its customers as well, it is likely that these were the ransomware attacks CISA was referring to.
Customers are advised to update to the latest version of SmarterMail as soon as possible. Curtis pointed out that, while the exploited security defects were addressed on January 15 in build 9518, SmarterMail build 9526 was released on January 22 to complement the fixes with additional improvements.
“It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU,” Curtis notes.
Related: Fresh SolarWinds Vulnerability Exploited in Attacks
Related: Critical React Native Vulnerability Exploited in the Wild
Related: Ivanti Patches Exploited EPMM Zero-Days
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
