Cyber Incident Victim: SmarterTools
Date:
Jan 2026
Location:
United States of America
Summary
A ransomware attack compromised SmarterTools through an unpatched instance of its SmarterMail email server, exploiting an unauthenticated remote code execution vulnerability. Attackers moved laterally across the network, infecting 12 Windows servers in the office and data center environments, which hosted quality control systems, the company portal, and Hosted SmarterTrack services, while the website, shopping cart, and My Account portal remained unaffected due to isolation on a separate network. The incident prompted immediate shutdown of all affected servers and internet disconnection until the breach was fully assessed, leading to the removal of Active Directory services and widespread password resets. The attack was attributed to the Warlock ransomware group, which also targeted some customers, and the exploited vulnerability had been patched in a prior software update alongside two other flaws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 29, 2026, SmarterTools experienced a ransomware attack targeting its internal infrastructure. The attackers gained entry through a virtual machine running an unpatched instance of the company's own SmarterMail email server product. This compromised mail server served as the initial point of access. From there, the attackers moved laterally within the company's network, specifically targeting Windows servers located in a data center. They successfully compromised twelve Windows servers during this phase. The impacted infrastructure included SmarterTools' office network and a specific data center environment. This data center hosted the company's quality control testing systems, the SmarterTools portal, and the Hosted SmarterTrack network. Services hosted on a separate network, such as the SmarterTools website, shopping cart, and My Account portal, remained unaffected by the incident. The company's Chief Commercial Officer, Derek Curtis, confirmed the breach vector and initial scope.
Upon detecting the breach, SmarterTools responded by instantly shutting down all servers at the two affected locations: the office network and the compromised data center. The company also disabled all internet access to these environments to contain the threat while conducting a thorough evaluation. Because the attackers exclusively targeted Windows systems, SmarterTools eliminated as many Windows servers as possible from its environment. As part of this remediation, Active Directory services were completely removed. Additionally, SmarterTools reset passwords across the entire network. Curtis attributed the attack to the Warlock ransomware group, which emerged in June 2025 and is believed to operate from China. The attackers likely exploited CVE-2026-24423, an unauthenticated remote code execution vulnerability with a CVSS score of 9.3. This vulnerability, along with two others (CVE-2026-23760 and CVE-2025-52691), had been patched by SmarterTools on January 15 in SmarterMail build 9518. The US cybersecurity agency CISA had previously warned about the exploitation of CVE-2026-24423 in ransomware attacks. SmarterTools stated that the Warlock group had also compromised some of its customers, suggesting these were likely the incidents referenced by CISA. The company advised customers to update to the latest SmarterMail version immediately, noting that build 9526, released on January 22, contained additional improvements complementing the January 15 fixes.