Security researchers warn that threat groups are exploiting critical vulnerabilities in SmarterMail, a business email and collaboration server that small to medium-sized businesses use as an alternative to Microsoft Exchange. 

A China-linked threat actor, tracked as Storm 2603, has exploited an authentication bypass vulnerability tracked as CVE-2026-23760 to deploy Warlock ransomware, according to a blog released Monday by researchers at Reliaquest. 

The hacker abuses legitimate administrative functions to hide its activity from security teams. It then installs a digital forensic tool called Velociraptor to maintain access in preparation for potential ransomware attacks, according to Reliaquest. 

SmarterTools, the parent company behind SmarterMail, confirmed in a Feb. 3 blog post that its own network was impacted by a Jan. 29 breach. 

The company had about 30 servers/virtual machines with SmarterMail installed, but a VM set up by an employee had not been updated and was compromised.

A separate missing authentication for critical function vulnerability, tracked as CVE-2026-24423, enables an unauthenticated attacker to achieve remote code execution. 

The Cybersecurity and Infrastructure Security Agency added CVE-2026-24423 to its Known Exploited Vulnerabilities catalog on Feb. 5. 

Exploitation of CVE-2026-24423 has been ongoing since Jan. 28, according to researchers at watchTowr. The security firm has seen more than 1,000 attempts from 60 unique attacker IPs and has identified multiple hub address URLs used for out-of-band callbacks. 

“Exploitation has remained consistently steady since it was first observed, with one clear exception: weekends,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told Cybersecurity Dive. “Activity drops sharply and then quickly picks up again at the start of the workweek.”

SmarterTools said issues related to the vulnerabilities have been addressed in Build 9518, released in January, and further fixes were added in Build 9526.