Warlock Ransomware Breaches SmarterTools via Its Own

Compromised by Its Own Product

SmarterTools, the company behind the popular SmarterMail email server platform, has confirmed it was breached by the Warlock ransomware group using a zero-day vulnerability in its own product. The attack exploited CVE-2026-23760, an authentication bypass flaw in SmarterMail versions prior to Build 9518.

The breach originated from an employee-provisioned virtual machine running an unpatched SmarterMail instance — a textbook shadow IT risk.

Attack Timeline

Jan 29, 2026  — Warlock gains initial access via CVE-2026-23760
Late January  — Lateral movement across 12 Windows servers
Feb 5, 2026   — CISA adds CVE-2026-23760 to Known Exploited Vulnerabilities (KEV)
Feb 9, 2026   — SmarterTools publicly discloses the breach
Feb 10, 2026  — Warlock publishes sample data on leak site

Vulnerability Details

Attribute	Detail
CVE	CVE-2026-23760
Type	Authentication Bypass
Affected	SmarterMail before Build 9518
CVSS	9.1 (Critical)
Exploitation	Remote, no authentication required
CISA KEV	Added February 5, 2026
Fix	Build 9526

The vulnerability allows unauthenticated attackers to bypass SmarterMail's login mechanisms entirely, gaining administrative access to the mail server.

Scope of the Breach

Metric	Details
Servers compromised	12 Windows servers
Data centers	Primary + secondary
Documents exfiltrated	1,000,000+
Data types	Source code, internal emails, customer support data
Ransomware deployed	Yes, after exfiltration was complete

Why This Matters

The breach highlights a painful irony — SmarterTools was compromised through a vulnerability in the product it develops. The employee-provisioned VM running an outdated SmarterMail build was not subject to standard patching discipline.

This reinforces critical security principles:

Patch your own products — ensure every internal instance runs the latest version
Eliminate shadow IT — employee-provisioned VMs are prime attack vectors
Assume breach — lateral movement to 12 servers indicates insufficient segmentation
Asset inventory — you can't patch what you don't know exists

Actions for SmarterMail Administrators

Upgrade immediately to SmarterMail Build 9526 or later
Audit all SmarterMail instances for unauthorized or forgotten deployments
Review authentication logs for bypass activity dating back to late January
Ensure network segmentation — mail servers should not be pivot points
Check CISA KEV — federal agencies must patch within mandated timelines

Sources

Compromised by Its Own Product

The breach originated from an employee-provisioned virtual machine running an unpatched SmarterMail instance — a textbook shadow IT risk.

Attack Timeline

Jan 29, 2026  — Warlock gains initial access via CVE-2026-23760
Late January  — Lateral movement across 12 Windows servers
Feb 5, 2026   — CISA adds CVE-2026-23760 to Known Exploited Vulnerabilities (KEV)
Feb 9, 2026   — SmarterTools publicly discloses the breach
Feb 10, 2026  — Warlock publishes sample data on leak site

Vulnerability Details

Attribute	Detail
CVE	CVE-2026-23760
Type	Authentication Bypass
Affected	SmarterMail before Build 9518
CVSS	9.1 (Critical)
Exploitation	Remote, no authentication required
CISA KEV	Added February 5, 2026
Fix	Build 9526

The vulnerability allows unauthenticated attackers to bypass SmarterMail's login mechanisms entirely, gaining administrative access to the mail server.

Scope of the Breach

Metric	Details
Servers compromised	12 Windows servers
Data centers	Primary + secondary
Documents exfiltrated	1,000,000+
Data types	Source code, internal emails, customer support data
Ransomware deployed	Yes, after exfiltration was complete

Why This Matters

This reinforces critical security principles:

Patch your own products — ensure every internal instance runs the latest version
Eliminate shadow IT — employee-provisioned VMs are prime attack vectors
Assume breach — lateral movement to 12 servers indicates insufficient segmentation
Asset inventory — you can't patch what you don't know exists

Actions for SmarterMail Administrators

Upgrade immediately to SmarterMail Build 9526 or later
Audit all SmarterMail instances for unauthorized or forgotten deployments
Review authentication logs for bypass activity dating back to late January
Ensure network segmentation — mail servers should not be pivot points
Check CISA KEV — federal agencies must patch within mandated timelines

Warlock Ransomware Breaches SmarterTools via Its Own

Compromised by Its Own Product

Attack Timeline

Vulnerability Details

Scope of the Breach

Why This Matters

Actions for SmarterMail Administrators

Sources

Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Disclosure

CISA Adds Zimbra XSS and SharePoint RCE to KEV; Cisco FMC Zero-Day Tied to Ransomware

Interlock Ransomware Has Been Exploiting Cisco FMC Zero-Day CVE-2026-20131 Since January

Warlock Ransomware Breaches SmarterTools via Its Own

Compromised by Its Own Product

Attack Timeline

Vulnerability Details

Scope of the Breach

Why This Matters

Actions for SmarterMail Administrators

Sources

Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Disclosure

CISA Adds Zimbra XSS and SharePoint RCE to KEV; Cisco FMC Zero-Day Tied to Ransomware

Interlock Ransomware Has Been Exploiting Cisco FMC Zero-Day CVE-2026-20131 Since January