When the Shoemaker Goes Barefoot: Warlock Ransomware Hits SmarterTools Via Their Own Unpatched SmarterMail

There's a special kind of irony when a software company gets breached through its own product. Last week, SmarterTools—the folks behind the popular SmarterMail server software—confirmed they were hit by the Warlock ransomware gang after attackers found a forgotten, unpatched mail server lurking in their network.

The breach happened on January 29th, and here's where it gets painfully relatable for anyone who's managed IT infrastructure. SmarterTools had around 30 servers running SmarterMail internally. Twenty-nine of them were properly patched. One wasn't. An employee had spun up a VM at some point, and it fell through the cracks of their update process. Warlock found it, exploited it, and that was all she wrote.

"Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated," explained Derek Curtis, the company's Chief Commercial Officer. "As a result, that mail server was compromised, which led to the breach."

What makes this attack particularly concerning is the timeline. Warlock didn't smash and grab—they settled in and got comfortable. After gaining initial access through the unpatched SmarterMail instance, the attackers waited a couple of days before making their next move. They took control of the Active Directory server, created new user accounts to maintain persistence, and deployed Velociraptor—a legitimate forensics tool that attackers have been repurposing for evil—before finally dropping the ransomware payload.

This "low and slow" approach is increasingly common among ransomware operators. By blending in with normal administrative activity like password resets, drive mounting, and creating new accounts, they avoid tripping the detection systems that are tuned to catch obvious exploitation attempts.

While SmarterTools hasn't confirmed exactly which vulnerability Warlock exploited, there are three prime suspects that have all been actively exploited in the wild. CVE-2025-52691, the big one from December with a perfect 10.0 CVSS score, kicked off this wave of attacks. CVE-2026-23760, scoring 9.3, is an authentication bypass that lets anyone reset the system administrator password with a specially crafted HTTP request. According to ReliaQuest, this appears to be Warlock's preferred entry point, likely because abusing a password reset feature looks like normal admin work. And CVE-2026-24423, also a 9.3, offers a more direct path to remote code execution through the ConnectToHub API. CISA confirmed this one is being actively used in ransomware attacks.

SmarterTools says about 12 Windows servers on their office network were affected, along with a secondary data center used for QC testing. The good news is their website, shopping cart, and customer account portals weren't impacted. The bad news is hosted customers using SmarterTrack got caught in the blast radius—not because of any flaw in SmarterTrack itself, but because that environment was more accessible once attackers were inside the network.

If you're running SmarterMail, stop reading and go update to Build 9526 immediately. Not tomorrow. Not after lunch. Now.

But beyond the obvious "patch your stuff" advice, this breach highlights something that trips up organizations of all sizes: shadow IT and asset inventory gaps. SmarterTools—a company whose entire business is building this software—didn't know about a VM running their own product. If it can happen to them, it can happen to your clients.

Consider this your reminder to audit what's actually running in your environment. Every forgotten dev server, every test VM that became permanent, every "temporary" instance from three years ago—they're all potential entry points waiting to be discovered by someone who isn't you.