The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has issued a warning to government agencies to promptly install patches for two critical security vulnerabilities affecting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. These vulnerabilities have been actively exploited by cyber attackers.
The first vulnerability, identified as CVE-2025-66376 with a CVSS score of 7.2, is a stored cross-site scripting flaw in the Classic UI of ZCS. This vulnerability allows attackers to misuse Cascading Style Sheets (CSS) @import directives in an HTML email message. The issue was fixed in versions 10.0.18 and 10.1.13 in November 2025.
The second vulnerability, known as CVE-2026-20963 with a CVSS score of 8.8, is a deserialization vulnerability in Microsoft Office SharePoint that enables unauthorized attackers to execute code over a network. This vulnerability was addressed in January 2026.
The discovery of CVE-2025-66376 in the KEV catalog was prompted by a report from Seqrite Labs, which revealed a targeted campaign conducted by a suspected Russian state-sponsored group against the State Hydrographic Service of Ukraine. This operation, dubbed Operation GhostMail, involves sending phishing emails containing an obfuscated JavaScript payload that exploits the CVE-2025-66376 vulnerability in Zimbra webmail.
The malicious JavaScript payload is designed to steal various sensitive information such as credentials, session tokens, 2FA recovery codes, browser-saved passwords, and mailbox contents dating back 90 days. The stolen data is then sent out over DNS and HTTPS. The attack began on January 22, 2026, originating from an email address belonging to the National Academy of Internal Affairs.
Operation GhostMail reflects a trend in webmail-focused attacks where threat actors leverage XSS vulnerabilities to breach organizations. This campaign showcases the use of browser-resident stealers embedded in HTML emails to intercept sessions without the need for traditional malware.
While CVE-2025-66376 has been actively exploited, there are currently no public reports regarding CVE-2026-20963 exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
Amazon recently disclosed that threat actors associated with Interlock ransomware have been exploiting a severe security vulnerability (CVE-2026-20131) in Cisco’s firewall management software since January 26, 2026. This highlights the ongoing trend of threat actors targeting network devices to gain initial access to target networks.
The use of CVE-2026-20131 as a zero-day exploit underscores attackers’ efforts to find previously unknown vulnerabilities for elevated access. This attack emphasizes the importance of promptly patching vulnerabilities to prevent unauthorized access and data breaches.
