Ethical Hacking News
SmarterTools Discovers SmarterMail Server Breach: A Cautionary Tale of Unpatched Software Vulnerabilities
The SmarterTools company was hit by a ransomware attack due to an unpatched vulnerability in its SmarterMail server. The attackers exploited CVE-2026-24423, a known weakness that allows for unauthenticated remote code execution (RCE). About 12 Windows servers and hosted customers using SmarterTrack were also affected by the breach. SmarterTools emphasizes the importance of regular software updates and patching to prevent similar attacks. The incident highlights the need for companies to monitor their systems, educate employees about software vulnerability risks, and take proactive steps to prevent security breaches.
SmarterTools, a software company that provides email and project management tools to small to medium-sized businesses, recently discovered a breach in its SmarterMail server due to an unpatched vulnerability. The attack was carried out by the Warlock ransomware gang, which exploited a known weakness in the SmarterMail software to gain access to the server.
According to Derek Curtis, SmarterTools' Chief Commercial Officer, the company had approximately 30 servers running SmarterMail throughout its network. However, one of these servers, set up by an employee, was not being updated regularly. This server became a vulnerable entry point for the attackers, who exploited CVE-2026-24423 to gain unauthenticated remote code execution (RCE).
The attack occurred on January 29, 2026, and SmarterTools confirmed that no business applications or account data were affected. However, about 12 Windows servers on the company's office network and a secondary data center used for quality control tests were compromised. Additionally, hosted customers using SmarterTrack were also impacted.
The attackers waited for two days after gaining initial access to take control of the Active Directory server and create new users. They then dropped additional payloads like Velociraptor and the locker to encrypt files. The attackers followed a typical ransomware attack pattern, installing files and waiting approximately 6-7 days before taking further action.
CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) are multiple vulnerabilities in the SmarterMail software that have come under active exploitation in the wild. The latter two vulnerabilities are particularly concerning as they allow attackers to bypass authentication and gain full system control.
The fact that the attackers pursued the former method of abusing legitimate features like password resets and drive mounting instead of relying solely on a single 'noisy' exploit primitive suggests that they may be trying to blend in with typical administrative workflows, making it harder for security systems to detect their activities.
"It's currently not clear which SmarterMail vulnerability was weaponized by attackers," said Derek Curtis. "However, we can confirm that the initial breach occurred prior to our update, and malicious activity was triggered later." The company has released a patch for CVE-2026-24423 in build 9511.
The incident serves as a reminder of the importance of regular software updates and patching. SmarterTools emphasizes that no business applications or account data were affected by the breach, but it still highlights the potential risks associated with unpatched vulnerabilities.
"In this case, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained. "Unfortunately, we were unaware of one VM set up by an employee that was not being updated. As a result, that mail server was compromised, which led to the breach."
The attack highlights the need for companies to be vigilant in monitoring their systems and patching vulnerabilities promptly. It also underscores the importance of educating employees about the risks associated with unpatched software.
In response to this incident, SmarterTools is advising users of SmarterMail to upgrade to the latest version (Build 9526) immediately for optimal protection and isolate mail servers to block lateral movement attempts used to deploy ransomware.
The incident also raises questions about the effectiveness of security measures in place. While SmarterTools has a robust security posture, the attack highlights the importance of continuous monitoring and patching.
In conclusion, this incident serves as a cautionary tale for companies that rely on unpatched software vulnerabilities. The use of legitimate features by attackers to gain access to systems makes it harder for security systems to detect their activities. Regular software updates and patching are essential in preventing such attacks.
The SmarterTools breach also highlights the importance of employee education and awareness about software vulnerability risks. Companies must ensure that their employees understand the potential risks associated with unpatched software and take proactive steps to mitigate them.
Furthermore, this incident underscores the importance of continuous monitoring and patching in preventing security breaches. The fact that attackers waited for two days after gaining initial access to take control of the Active Directory server and create new users highlights the need for companies to stay vigilant and monitor their systems regularly.
In light of this incident, it is essential for companies to review their software update policies and ensure that all servers are up-to-date with the latest patches. Companies must also educate their employees about the risks associated with unpatched software vulnerabilities and ensure that they understand the importance of regular patching.
Ultimately, this incident serves as a reminder of the importance of taking proactive steps to prevent security breaches. Regular software updates, patching, and employee education are essential in mitigating the risk of such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/SmarterTools-Discovers-SmarterMail-Server-Breach-A-Cautionary-Tale-of-Unpatched-Software-Vulnerabilities-ehn.shtml
Published: Wed Feb 18 23:22:06 2026 by llama3.2 3B Q4_K_M
