CISA Warns of Actively Exploited Zimbra and SharePoint Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging federal agencies to patch two critical vulnerabilities CVE-2025-66376 (CVSS 7.2) in Synacor Zimbra Collaboration Suite (ZCS) and CVE-2026-20963 (CVSS 8.8) in Microsoft Office SharePoint after confirming active exploitation in the wild.
Zimbra XSS Flaw Exploited in Targeted Cyberespionage
The Zimbra vulnerability (CVE-2025-66376), a stored cross-site scripting (XSS) flaw in the Classic UI, was patched in November 2025 (versions 10.0.18 and 10.1.13). However, a suspected Russian state-sponsored threat group has been exploiting it in Operation GhostMail, a campaign targeting Ukraine’s State Hydrographic Service (hydro.gov[.]ua).
The attack leverages a socially engineered internship inquiry email, sent on January 22, 2026, from a compromised account at the National Academy of Internal Affairs. The email contains obfuscated JavaScript embedded in its HTML body, which executes when opened in a vulnerable Zimbra webmail session. Unlike traditional phishing, this attack requires no malicious attachments, links, or macros only interaction with the email itself.
The malware harvests credentials, session tokens, 2FA backup codes, browser-saved passwords, and 90 days of email data, exfiltrating it via DNS and HTTPS. Seqrite Labs, which uncovered the campaign, noted that this technique aligns with previous Russian operations like Operation RoundPress, which also exploited XSS flaws in webmail software.
SharePoint Deserialization Flaw Under Active Attack
The second vulnerability, CVE-2026-20963, affects Microsoft Office SharePoint and allows remote code execution (RCE) via deserialization of untrusted data. While no public reports detail its exploitation, CISA’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog confirms its use in attacks. Federal agencies must patch it by March 23, 2026.
Broader Threat Landscape: Edge Device Exploits
The advisory follows Amazon’s disclosure that Interlock ransomware operators exploited a maximum-severity Cisco firewall flaw (CVE-2026-20131, CVSS 10.0) as a zero-day since January 26, 2026, weeks before public disclosure. The group has historically targeted education, healthcare, manufacturing, and government sectors, where operational disruption maximizes ransom pressure.
CISA added CVE-2026-20131 to its KEV catalog on March 19, 2026, mandating federal agencies to patch by March 22, 2026. The agency also issued an emergency directive for Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128), which have been actively exploited, requiring agencies to submit logs by March 23, 2026.
VulnCheck further warned that CVE-2026-20133, another Catalyst SD-WAN flaw, could enable privilege escalation to root by leaking the vmanage-admin private key and confd_ipc_secret. The firm cautioned that early exploit research may not capture all attack vectors, emphasizing the need for comprehensive patching.
Federal agencies must apply fixes for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
Source: https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
Synacor cybersecurity rating report: https://www.rankiteo.com/company/synacor
"id": "CISSYN1774305072",
"linkid": "cisco, synacor",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Maritime/Navigation',
'location': 'Ukraine',
'name': 'State Hydrographic Service of Ukraine',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Agencies (U.S.)',
'type': 'Government'},
{'industry': ['Education',
'Healthcare',
'Manufacturing',
'Government'],
'name': 'Education, Healthcare, Manufacturing, '
'Government Sectors',
'type': 'Multiple'}],
'attack_vector': ['Stored XSS (Zimbra)',
'Deserialization of Untrusted Data (SharePoint)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, government communications)',
'type_of_data_compromised': ['Credentials',
'Session tokens',
'2FA backup codes',
'Browser-saved passwords',
'Email data']},
'date_detected': '2026-01-22',
'date_publicly_disclosed': '2026-03-19',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has issued an alert urging federal agencies to patch '
'two critical vulnerabilities CVE-2025-66376 (CVSS 7.2) in '
'Synacor Zimbra Collaboration Suite (ZCS) and CVE-2026-20963 '
'(CVSS 8.8) in Microsoft Office SharePoint after confirming '
'active exploitation in the wild. The Zimbra vulnerability was '
'exploited in Operation GhostMail, a campaign targeting '
'Ukraine’s State Hydrographic Service, while the SharePoint '
'flaw is under active attack with no public exploitation '
'details.',
'impact': {'data_compromised': ['Credentials',
'Session tokens',
'2FA backup codes',
'Browser-saved passwords',
'90 days of email data'],
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Operational disruption in targeted sectors '
'(education, healthcare, manufacturing, '
'government)',
'systems_affected': ['Synacor Zimbra Collaboration Suite (ZCS)',
'Microsoft Office SharePoint',
'Cisco Firewall']},
'initial_access_broker': {'entry_point': 'Compromised email account (National '
'Academy of Internal Affairs)',
'high_value_targets': ['Ukraine’s State '
'Hydrographic Service']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for timely patching of webmail and collaboration '
'software, risks of XSS flaws in email systems, and the '
'importance of monitoring edge devices for zero-day '
'exploits.',
'motivation': 'Cyberespionage, Data Exfiltration, Operational Disruption',
'post_incident_analysis': {'corrective_actions': ['Mandatory patching '
'deadlines for federal '
'agencies',
'Enhanced threat '
'intelligence sharing',
'Improved edge device '
'security monitoring'],
'root_causes': ['Unpatched Zimbra XSS '
'vulnerability (CVE-2025-66376)',
'Unpatched SharePoint '
'deserialization flaw '
'(CVE-2026-20963)',
'Zero-day exploit in Cisco '
'firewall (CVE-2026-20131)']},
'ransomware': {'ransomware_strain': 'Interlock'},
'recommendations': ['Apply patches for Zimbra (versions 10.0.18/10.1.13) and '
'SharePoint (CVE-2026-20963) immediately.',
'Monitor for unusual DNS/HTTPS exfiltration traffic.',
'Segment networks to limit lateral movement.',
'Enhance monitoring of edge devices (e.g., Cisco '
'firewalls).',
'Conduct phishing awareness training to mitigate socially '
'engineered attacks.'],
'references': [{'date_accessed': '2026-03-19', 'source': 'CISA Advisory'},
{'source': 'Seqrite Labs Report on Operation GhostMail'},
{'source': 'Amazon Disclosure on Interlock Ransomware'},
{'source': 'VulnCheck Warning on Cisco SD-WAN Flaws'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'additions '
'(CVE-2025-66376, '
'CVE-2026-20963, '
'CVE-2026-20131)',
'Emergency directive '
'for Cisco SD-WAN '
'vulnerabilities']},
'response': {'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': ['Patching (Zimbra versions '
'10.0.18/10.1.13, SharePoint updates)',
'Network segmentation',
'Enhanced monitoring'],
'third_party_assistance': 'Seqrite Labs (Zimbra investigation)'},
'stakeholder_advisories': 'CISA emergency directive for federal agencies to '
'patch by March 23, 2026 (SharePoint) and April 1, '
'2026 (Zimbra).',
'threat_actor': 'Suspected Russian state-sponsored threat group',
'title': 'CISA Warns of Actively Exploited Zimbra and SharePoint '
'Vulnerabilities',
'type': ['Cyberespionage', 'Remote Code Execution'],
'vulnerability_exploited': ['CVE-2025-66376',
'CVE-2026-20963',
'CVE-2026-20131']}