A community advisory by SmarterTools said the Warlock ransomware gang breached its network on January 29, 2026 by exploiting an unpatched SmarterMail instance, affecting about 12 Windows office servers and a secondary data center.
KEY FACTS
- Incident Unauthorized access and ransomware activity after an unpatched mail server was compromised
- Date January 29, 2026
- Affected systems ~12 Windows servers on the office network and a secondary QC data center
- Exploit Unpatched SmarterMail instance, exact CVE unclear
Initial access followed an employee-created VM that had not been updated, allowing attackers to compromise the mail server and move into the environment, per the advisory.
About 30 servers had SmarterMail installed across the network before the incident. The advisory states that hosted customers using SmarterTrack were the most affected because that environment was more accessible after the breach.
Attackers reportedly waited several days after gaining access to take control of the Active Directory server, create new users, and deploy additional tools including Velociraptor and a file locker to encrypt data, per the advisory.
ReliaQuest’s report: abuse of CVE-2026-23760 to bypass authentication and stage a payload on internet-facing systems, plus a downloaded malicious MSI from Supabase used to install Velociraptor. The advisory and the report note that CVE-2026-24423 also offers a direct remote code execution path.
SmarterMail updates and server isolation were recommended to block lateral movement and protect hosted customers. It is not yet clear which specific vulnerability was weaponized in this incident.
WHY IT MATTERS
Unpatched mail servers can provide a foothold that allows ransomware operators to gain administrative control and stage payloads. Applying vendor fixes and isolating mail infrastructure reduces the risk of lateral movement and data encryption.