SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

The Cyber Security Agency of Singapore (CSA) has issued a high-priority alert warning organizations and system administrators about a critical security vulnerability affecting SmarterMail, an enterprise email and collaboration platform developed by SmarterTools. The flaw, tracked as CVE-2025-52691, carries the highest possible severity rating and could allow attackers to execute arbitrary code remotely without authentication.  According to CSA, the vulnerability has been assigned a Common Vulnerability Scoring System (CVSS v3.1) score of 10.0, reflecting its potential for widespread and severe impact. The issue arises from an arbitrary file upload weakness that could be exploited by unauthenticated attackers to upload files to any directory on a vulnerable mail server.  “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said in its advisory. 

Technical Details and Potential Attack Scenarios for CVE-2025-52691 

The vulnerability identified as CVE-2025-52691 affects SmarterMail versions Build 9406 and earlier. At its core, the flaw allows arbitrary file uploads, a class of vulnerability that can be especially dangerous in server-side applications. If a malicious file type is uploaded and automatically processed by the application environment, it may be interpreted as executable code.  CSA noted that this behavior could pave the way for remote code execution, particularly if an attacker uploads a script or binary file that the server is capable of executing. For example, malicious web shells or binaries could be placed on the server and run with the same privileges as the SmarterMail service itself.  In a hypothetical attack scenario outlined by CSA, a threat actor could leverage this weakness to establish persistent access to the mail server. From there, attackers could potentially exfiltrate sensitive data, deploy additional malware, or use the compromised system as a foothold to move laterally within an organization’s network. The absence of any authentication requirement lowers the barrier to exploitation. 

Affected Versions and Recommended Mitigation 

CSA confirmed that SmarterMail Build 9406 and earlier are vulnerable to exploitation. To mitigate the risk, SmarterTools has released security updates addressing the issue. The vulnerability was fixed in SmarterMail Build 9413, which was released on October 9, 2025.  “Users and administrators of affected product versions are advised to update to SmarterMail version Build 9413 immediately,” CSA stated in its bulletin.  While Build 9413 resolves CVE-2025-52691, CSA further recommends upgrading to the latest available release for improved security posture. As of the advisory, the most recent version is SmarterMail Build 9483, released on December 18, 2025. Although the agency noted that there is no indication of active exploitation in the wild, timely patching is advised to reduce exposure. 

Discovery, Disclosure, and Broader Impact 

CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and responsibly reporting the vulnerability. The agency also acknowledged SmarterTools Inc. for its cooperation during the coordinated disclosure and remediation process.  While CSA has not reported any confirmed in-the-wild exploitation of CVE-2025-52691, the agency made clear that unauthenticated remote code execution flaws pose a serious and immediate risk. Organizations running SmarterMail should treat this vulnerability as a high priority, apply the required updates without delay, and actively review systems for signs of unauthorized file uploads or suspicious activity.  To stay protected from vulnerabilities like CVE-2025-52691, organizations need continuous visibility into new cyber threats and real-world exploitation risks. Cyble helps security teams monitor critical vulnerabilities, track attacker activity, and prioritize remediation through AI-powered threat intelligence.  Gain early insight into high-risk vulnerabilities, attacker tactics, and exposed assets with Cyble’s AI-native threat intelligence platform.  Book a free demo to strengthen your vulnerability response and reduce risk before threats escalate.