CISA Adds SmarterMail RCE Flaw to KEV Catalog After Warlock Ransomware Exploits It
CISA added CVE-2026-24423, a critical unauthenticated remote code execution flaw in SmarterMail, to its Known Exploited Vulnerabilities catalog after the Warlock ransomware group breached SmarterTools' own network through an unpatched instance.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24423 to its Known Exploited Vulnerabilities (KEV) catalog on February 5, 2026, explicitly tagging it as exploited in ransomware campaigns. The vulnerability carries a CVSS score of 9.3 and affects SmarterMail, a widely deployed email and collaboration server from SmarterTools. Federal civilian agencies were ordered to address the flaw by February 26, 2026.
How the Vulnerability Works
CVE-2026-24423 is an unauthenticated remote code execution flaw in the ConnectToHub API method in SmarterMail. Because the API lacks proper authentication checks, an attacker with network access to the server can send a crafted request and execute arbitrary code without any credentials. A companion flaw, CVE-2026-23760, allows an unauthenticated attacker to reset the SmarterMail system administrator password via a specially crafted HTTP request. CISA added CVE-2026-23760 to KEV on January 26, 2026.
Threat intelligence firm ReliaQuest identified the Warlock group (also tracked as Storm-2603 and Gold Salem) as actively chaining both vulnerabilities. After gaining initial access, attackers download a malicious MSI installer from a Supabase-hosted URL, install the Velociraptor agent for persistence, and then deploy the Warlock ransomware payload approximately six to seven days after initial compromise — explaining why some customers experienced a ransomware event even after patching, because the initial access had already occurred before the update.
SmarterTools Breached Through Its Own Product
SmarterTools confirmed that its own network was compromised on January 29, 2026, because an internal SmarterMail server had not been updated to the patched build. The company publicly disclosed the incident after the Warlock group exploited the same vulnerabilities it had already patched for customers.
SmarterTools has released Build 9526, which addresses both flaws. Organizations running SmarterMail should upgrade immediately, restrict external access to the administrative interface, and audit mail server hosts for signs of compromise such as unexpected scheduled tasks, new service accounts, or unexplained Velociraptor agent installations.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.