The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding the active exploitation of critical vulnerabilities affecting Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. The agency has urged organizations, especially government entities, to immediately apply security patches to mitigate risks.
Actively Exploited Vulnerabilities
The two vulnerabilities highlighted by CISA include:
- CVE-2025-66376 (CVSS 7.2)
A stored cross-site scripting (XSS) flaw in Zimbra’s Classic UI. Attackers exploit Cascading Style Sheets (CSS)@importdirectives embedded within HTML email messages. This issue has been patched in versions 10.0.18 and 10.1.13. - CVE-2026-20963 (CVSS 8.8)
A deserialization vulnerability in Microsoft Office SharePoint that allows unauthorized remote code execution. The flaw was fixed in January 2026.
CISA has added the Zimbra vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active use in real-world attacks.
Operation GhostMail: Email-Based Attack Campaign
Security researchers from Seqrite Labs uncovered a campaign dubbed Operation GhostMail, believed to be linked to a Russian state-sponsored threat group targeting Ukrainian infrastructure.
The attack uses a social engineering technique, presenting itself as an internship inquiry email. Unlike traditional phishing campaigns, this attack contains:
- No attachments
- No malicious links
- No macros
Instead, the entire payload is embedded directly within the HTML body of the email.
When opened in a vulnerable Zimbra webmail session, the embedded JavaScript executes and exploits the XSS flaw. The malware is capable of:
- Stealing login credentials and session tokens
- Extracting 2FA recovery codes
- Accessing stored browser passwords
- Collecting mailbox data from the past 90 days
The stolen data is exfiltrated through both DNS and HTTPS channels.
Researchers noted similarities with earlier campaigns like Operation RoundPress, where attackers leveraged webmail vulnerabilities to infiltrate organizations.
SharePoint Exploitation Status
While there are currently no confirmed public reports detailing exploitation of the SharePoint vulnerability, CISA has still mandated urgent patching due to its high severity and potential for remote code execution.
Federal agencies are required to:
- Patch CVE-2025-66376 by April 1, 2026
- Patch CVE-2026-20963 by March 23, 2026
Cisco Zero-Day Linked to Interlock Ransomware
The advisory also coincides with findings from Amazon, which revealed that the Interlock ransomware group has been exploiting a critical Cisco vulnerability, CVE-2026-20131 (CVSS 10.0), since January 2026 as a zero-day.
This flaw impacts Cisco firewall management systems and enables attackers to gain root-level access and execute arbitrary code.
The ransomware group has targeted sectors including:
- Education
- Healthcare
- Manufacturing
- Government
- Engineering and construction
Growing Trend of Targeting Network Edge Devices
The attacks highlight an ongoing trend where threat actors focus on edge network devices from vendors such as Cisco, Fortinet, and Ivanti to gain initial access.
The use of zero-day vulnerabilities demonstrates that attackers are investing significant resources into discovering unknown weaknesses that can provide privileged access to enterprise networks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.


