The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild.
The vulnerabilities in question are as follows –
- CVE-2025-66376 (CVSS score: 7.2) – A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. (Fixed in versions 10.0.18 and 10.1.13 in November 2025)
- CVE-2026-20963 (CVSS score: 8.8) – A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network. (Fixed in January 2026)
The addition of CVE-2025-66376 to the KEV catalog follows a report from Seqrite Labs, which detailed a campaign orchestrated by a suspected Russian state-sponsored intrusion set targeting the State Hydrographic Service of Ukraine (hydro.gov[.]ua). The activity has been codenamed Operation GhostMail.
“A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body,” the Indian cybersecurity vendor said. “When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376.”
“The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments.”
The JavaScript malware is designed to harvest credentials, session tokens, backup two-factor authentication (2FA) recovery codes, browser-saved passwords, and the contents of the victim’s mailbox going back 90 days. The captured data is exfiltrated over both DNS and HTTPS. The email message was sent on January 22, 2026, from a likely compromised email address belonging to the National Academy of Internal Affairs.
The campaign is consistent with prior attack waves conducted by Russian state-sponsored threat actors, such as Operation RoundPress, that have leveraged XSS vulnerabilities in webmail software to breach Ukrainian organizations.
“Operation GhostMail demonstrates the continued evolution of webmail-focused intrusion, where attackers rely entirely on browser-resident stealers rather than traditional malware binaries,” Seqrite Labs said. “By embedding obfuscated JavaScript directly within an HTML email and exploiting a Zimbra webmail XSS condition, the threat actor achieves full session interception without dropping files, exploiting macros, or triggering endpoint-based detections.”
There are currently no public reports referencing the exploitation of CVE-2026-20963, the identity of the threat actor exploiting it, and the scale of such efforts. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco’s firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon said. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care, and government entities.
The attack once again highlights a persistent pattern of threat actors targeting edge network devices from different vendors, including Cisco, Fortinet, Ivanti, and others, to obtain initial access to target networks. The fact that CVE-2026-20131 was weaponized as a zero-day shows that attackers are investing time and resources to find previously unknown flaws that could grant them elevated access.
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on March 19, 2026, added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to update their instances to the latest version by March 22, 2026.
Late last month, CISA also issued an emergency directive urging FCEB agencies to take steps to mitigate recently disclosed vulnerabilities in Cisco Catalyst SD-WAN systems (CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, and CVE-2026-20128) that have come under active exploitation, and report to it “all syslog logging” and other applicable cloud logs by March 23, 2026, 11:59 p.m. ET.
In a report published last week, VulnCheck revealed that CVE-2026-20133, another flaw in Catalyst SD-WAN, poses a “higher risk than defenders may realize” and is also likely to come under attackers’ radar, if not already.
The cybersecurity firm said the file system access provided by the vulnerability can be exploited to extract the “vmanage-admin” user’s private key and compromise the Network Configuration Protocol (NETCONF) used to configure and manage SD-WAN devices. What’s more, the vulnerability can also be weaponized to leak confd_ipc_secret, allowing any local user to escalate to an unconstrained root shell.
“Early exploits and industry attention on emerging threats can be useful for understanding likely exploitation paths and vulnerability nuances, but they can also lead organizations astray when they rely on untested research artifacts or overly narrow focus on specific attack paths,” VulnCheck researchers Caitlin Condon and Josh Shomo said.
(The story was updated after publication to include details of the advisory from CISA.)
