CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks
CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks
https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html
Publish Date: 2026-03-19 02:05:00
Source Domain: thehackernews.com
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild.
The vulnerabilities in question are as follows –
- CVE-2025-66376 (CVSS score: 7.2) – A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. (Fixed in versions 10.0.18 and 10.1.13 in November 2025)
- CVE-2026-20963 (CVSS score: 8.8) – A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network. (Fixed in January 2026)
The addition of CVE-2025-66376 to the KEV catalog follows a report from Seqrite Labs, which detailed a campaign orchestrated by a suspected Russian state-sponsored intrusion set targeting the State Hydrographic Service of Ukraine (hydro.gov[.]ua). The activity has been codenamed Operation GhostMail.
“A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body,” the Indian cybersecurity vendor said. “When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376.”
“The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments.”
The JavaScript malware is designed to harvest credentials, session tokens, backup two-factor authentication (2FA) recovery codes, browser-saved passwords, and the contents of the victim’s mailbox going back 90 days. The captured data is exfiltrated over both DNS and HTTPS. The email message was sent on January 22, 2026, from a likely compromised email address belonging to the National Academy of Internal Affairs.
The campaign is…
