Threat actors are rapidly exploiting recently disclosed vulnerabilities in SmarterMail, a business email and collaboration server, with some already deploying ransomware, security researchers warn. Within days of the vulnerabilities being publicly revealed, proof-of-concept exploits, offensive tools, and stolen administrator credentials began circulating on underground Telegram channels and cybercrime forums, according to Flare researchers.
The vulnerabilities, CVE-2026-24423 and CVE-2026-23760, are considered critical. CVE-2026-24423 is an unauthenticated remote code execution flaw with a CVSS score of 9.3, allowing attackers to execute code on vulnerable servers without any user interaction. CVE-2026-23760 involves authentication bypass and password reset flaws, enabling attackers to gain privileged access to the platform. Researchers at watchTowr have observed over 1,000 exploitation attempts originating from 60 unique attacker IP addresses since January 28th.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24423 to its Known Exploited Vulnerabilities catalog on February 5th, confirming active exploitation in ransomware campaigns. Reliaquest researchers have linked a China-linked threat actor, tracked as Storm 2603, to exploiting CVE-2026-23760 to deploy Warlock ransomware. The attackers are reportedly abusing legitimate administrative functions to conceal their activity and installing digital forensic tools like Velociraptor to maintain persistent access.
The speed at which these vulnerabilities are being weaponized is particularly concerning. Flare’s monitoring of underground forums shows references to the vulnerabilities appearing on the same day they were published in early January, with proof-of-concept code and exploits following shortly after. This rapid timeline – from vulnerability disclosure to potential ransomware deployment – is shrinking from weeks or months to just days.
SmarterTools, the parent company of SmarterMail, confirmed in a February 3rd blog post that its own network was breached on January 29th. The breach impacted approximately 30 servers/virtual machines, but the company stated that core customer services and data were unaffected, attributing their success to network segmentation. However, the incident underscores the risk even for vendors themselves.
The Shadowserver Foundation has identified approximately 6,000 internet-exposed SmarterMail servers vulnerable to active remote code execution attacks. A Shodan search revealed around 34,000 servers running SmarterMail, with over 1,185 identified as vulnerable to authentication bypass or RCE flaws. The majority of these vulnerable servers are located in the United States.
Security experts emphasize that email servers are often treated as simply “application infrastructure,” overlooking their critical role as identity infrastructure. They contain domain authentication tokens, password reset capabilities, and access to internal contact graphs, making them a prime target for attackers seeking to compromise identity and gain access to internal networks. Defensive priorities should include urgent patching, robust identity telemetry to monitor for suspicious activity like admin password resets and unexpected outbound connections, network segmentation to limit access, and proactive threat hunting for API abuse and persistence mechanisms.
