Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware
Essential information
- Published
- 10/02/2026 16:59
- Modified
- 10/02/2026 16:59
- Tags
- 2026-02-10 CVE-2026-23760 ransomware smartermail warlock
- Related entities
- 2 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 1 others
Description
A critical vulnerability in SmarterMail email server software (CVE-2026-23760) is being actively exploited by the China-based threat actor Storm-2603. The group uses this vulnerability to bypass authentication, reset administrator passwords, and gain full system control through the software's 'Volume Mount' feature. They then install Velociraptor, a legitimate digital forensics tool, to maintain access and prepare for deploying their Warlock ransomware. The attack chain involves exploiting the password reset API, abusing administrative features, and using legitimate tools to blend in with normal activity. This sophisticated approach allows the group to bypass detection mechanisms and establish persistence. The report also notes simultaneous exploitation attempts of another vulnerability (CVE-2026-24423) against the same targets, highlighting the urgent need for patching and improved security measures.