TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY NEWS Warlock Gang Breaches SmarterTools Via SmarterMail Bugs The ransomware group breached SmarterTools through a vulnerability in the company's own SmarterMail product. Alexander Culafi, Senior News Writer, Dark Reading February 9, 2026 4 Min Read SOURCE: PATTARA VIA ALAMY STOCK PHOTO SmarterTools recently disclosed a breach that occurred as a result of vulnerabilities the company addressed last month. The software company's product was compromised by Warlock, a ransomware group that first emerged last year. CVE-2026-24423 is an unauthenticated remote-code execution vulnerability in the ConnectToHub API method of mail server SmarterMail. The vulnerability enables an attacker to point a SmarterMail instance to a malicious HTTP server managed by the threat actor; that server can then deliver malicious commands. It was disclosed alongside CVE-2026-23760, which is an authentication bypass vulnerability that can enable an unauthenticated attacker to force a password reset on a system administrator account. This enables full compromise of the SmarterMail instance. Both bugs have critical CVSS severity scores of 9.3, and both were addressed in SmarterMail release 9511 on Jan. 15. Related:Shai-hulud: The Hidden Costs of Supply Chain Attacks LOADING... These vulnerabilities were used to compromise SmarterTools, which sells SmarterMail. SmarterTools chief operating officer Derek Curtis published a blog post last week detailing how the company suffered and responded to the data breach, which occurred on Jan. 29. According to the executive, SmarterTools had 30 servers and virtual machines with SmarterMail installed throughout its network, but it was unaware of one that was not being updated. It was that one vulnerable server that led to the breach. Some of the company's SmarterMail customers were also hit as a result of the attack. The company said all customers should update to a fixed version of its software immediately and use indicators of compromise (included in the blog) to investigate signs of a possible breach. LOADING... Fallout of the SmarterTools Breach Curtis explained that the company isolates its networks in the event of a breach, and as a result, many services remained online during incident response. No business applications or account data were affected either, he wrote. It was primarily SmarterTools' office network that was compromised, as well as a data center used for lab and quality control work. "At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory," Curtis said. "We didn't see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old." Twelve Windows servers on its network "looked to be compromised," and on these servers, virus scanners blocked most efforts. None of the company's Linux servers, which make up the majority of its servers, were impacted. Related:OpenClaw's Gregarious Insecurities Make Safe Usage Difficult As part of its incident response effort, SmarterTools shut off all servers at both locations and disabled all Internet access, pending an evaluation. The company restructured its networks, eliminating Windows where possible and no longer using Active Directories. It also reset all network passwords. SmarterTools praised Sentinel One for its role in the response process, including in detecting vulnerabilities and preventing encryption, a detail that suggests ransomware may have been involved. "As of now, there are no major known security issues with SmarterMail," Curtis wrote. "In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company's history, and we are learning a great deal from it — with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have." Dark Reading asked SmarterTools about some of its lessons learned from the breach, but the company had not responded at press time. Threat Actors Target SmarterMail Customers SmarterMail's customers are SMBs and enterprises that rely on its server as an alternative to Microsoft Exchange. While traditional Microsoft Exchange on-premise deployments have had their share of bad vulnerabilities, CVE-2026-24423 and CVE-2026-23760 extend beyond SmarterTools alone. Related:Attackers Use Windows Screensavers to Drop Malware, RMM Tools Curtis said China-based ransomware actor the Warlock Group compromised the company, and it has "observed similar activity on customer machines." Once the threat actor gains access, it installs files and waits up to a week before taking further action. As he put it, some customers experienced a breach despite updating because the initial breach happened earlier than visible evidence might have suggested. "They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data," the blog post read. The Warlock Group is believed to target primarily Windows environments. It's not every day that a technology vendor gets compromised through a vulnerability in its own product, but as SmarterTools shows, it's possible. Organizations should consider taking regular inventory of their SmarterMail deployments, as well as employing follow-on hardening measures such as network segmentation. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps 2025 Threat Report Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Rolls Out Fresh Fix After Faulty Windows Update by Kristina Beek, Associate Editor, Dark Reading FEB 27, 2025 APPLICATION SECURITY Microsoft Starts 2026 With a Bang: A Freshly Exploited Zero-Day by Jai Vijayan, Contributing Writer JAN 13, 2026 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK Dark Patterns Undermine Security, One Click at a Time byArielle Waldman FEB 3, 2026 7 MIN READ CYBERATTACKS & DATA BREACHES Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days byJai Vijayan, Contributing Writer FEB 3, 2026 4 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Lock the Front Door: The Easiest Way to Reduce Your Attack Surface Understanding Least Privilege Toyota of Santa Maria Streamlines IT Operations with CyberFOX AutoElevate How the University of Tennesse secured 40 departments by removing admin rights Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use