In what may be one of the most ironic cybersecurity incidents of 2026, SmarterTools - the company behind the popular email server platform SmarterMail - was breached by a ransomware group that exploited critical vulnerabilities in their own software.
The attack, attributed to a China-linked group tracked as Storm-2603 (also known as Warlock), has sent shockwaves through the email hosting industry and serves as a stark reminder that no organisation is immune to the threats their own products are designed to prevent.
What Happened
On January 29, 2026, attackers exploited an unpatched SmarterMail virtual machine on SmarterTools' own internal network. The VM had been set up by an employee and was not receiving regular updates - a classic case of shadow IT creating a blind spot in an otherwise secured environment.
After gaining initial access, the attackers waited six to seven days before deploying their tools. They used Velociraptor, a legitimate digital forensics tool repurposed for persistence, followed by ransomware encryption payloads. Approximately 12 Windows servers across SmarterTools' office network and a secondary data centre used for QC testing were compromised.
The Vulnerabilities
The attack leveraged at least three critical CVEs, each representing a severe flaw in SmarterMail's architecture:
- CVE-2025-52691 (CVSS 10.0) - A critical vulnerability that provided initial access
- CVE-2026-23760 (CVSS 9.3) - An authentication bypass allowing attackers to reset the system administrator password via a crafted HTTP request
- CVE-2026-24423 (CVSS 9.3) - An unauthenticated remote code execution flaw in the
ConnectToHubAPI endpoint, requiring no authentication and allowing arbitrary command execution
On February 5, 2026, CISA added CVE-2026-24423 to its Known Exploited Vulnerabilities catalogue, marking it as actively exploited in ransomware campaigns. This was the third SmarterMail vulnerability added to the KEV catalogue in just two weeks. Federal agencies were ordered to patch by February 26, 2026.
The Scale of the Threat
Security researchers have observed more than 1,000 exploitation attempts from 60 unique attacker IP addresses targeting SmarterMail installations worldwide. SmarterMail is widely used by small and mid-sized businesses as an alternative to Microsoft Exchange, which means thousands of organisations could be at risk.
"Storm-2603 chains this access with the software's built-in Volume Mount feature to gain full system control." - Alexa Feminella, ReliaQuest Security Researcher
SmarterTools' Response
In a drastic but commendable response, SmarterTools has eliminated Windows entirely from their network infrastructure and discontinued Active Directory services. The company has released patches in SmarterMail Build 9511 and later (current version: Build 9526).
Derek Curtis, Chief Commercial Officer at SmarterTools, acknowledged the oversight: "Unfortunately, we were unaware of one VM that was not being updated."
Key Takeaways for Email Hosting Providers
This incident highlights several critical lessons:
- Shadow IT is a real threat - A single forgotten, unpatched VM was the entry point for a sophisticated ransomware attack
- Patch management is non-negotiable - The window between vulnerability disclosure and active exploitation is measured in days, not weeks
- Self-hosted email carries risk - Organisations running their own email servers must commit to continuous security monitoring and rapid patching
- Managed email hosting reduces exposure - By using a managed service, businesses transfer the burden of server security and patching to specialists who monitor threats around the clock
If you're running SmarterMail, update to Build 9511 or later immediately. If you're evaluating your email hosting strategy, this incident underscores the value of choosing a provider that prioritises security infrastructure, automated patching, and 24/7 monitoring.
