CISA Warns of Zimbra and SharePoint Exploits as Cisco Zero Day Targeted in Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding the active exploitation of critical vulnerabilities affecting Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. The agency has urged organizations, especially government entities, to immediately apply security patches to mitigate risks.

Actively Exploited Vulnerabilities

The two vulnerabilities highlighted by CISA include:

  • CVE-2025-66376 (CVSS 7.2)
    A stored cross-site scripting (XSS) flaw in Zimbra’s Classic UI. Attackers exploit Cascading Style Sheets (CSS) @import directives embedded within HTML email messages. This issue has been patched in versions 10.0.18 and 10.1.13.
  • CVE-2026-20963 (CVSS 8.8)
    A deserialization vulnerability in Microsoft Office SharePoint that allows unauthorized remote code execution. The flaw was fixed in January 2026.

CISA has added the Zimbra vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active use in real-world attacks.

Operation GhostMail: Email-Based Attack Campaign

Security researchers from Seqrite Labs uncovered a campaign dubbed Operation GhostMail, believed to be linked to a Russian state-sponsored threat group targeting Ukrainian infrastructure.

The attack uses a social engineering technique, presenting itself as an internship inquiry email. Unlike traditional phishing campaigns, this attack contains:

  • No attachments
  • No malicious links
  • No macros

Instead, the entire payload is embedded directly within the HTML body of the email.

When opened in a vulnerable Zimbra webmail session, the embedded JavaScript executes and exploits the XSS flaw. The malware is capable of:

  • Stealing login credentials and session tokens
  • Extracting 2FA recovery codes
  • Accessing stored browser passwords
  • Collecting mailbox data from the past 90 days

The stolen data is exfiltrated through both DNS and HTTPS channels.

Researchers noted similarities with earlier campaigns like Operation RoundPress, where attackers leveraged webmail vulnerabilities to infiltrate organizations.

SharePoint Exploitation Status

While there are currently no confirmed public reports detailing exploitation of the SharePoint vulnerability, CISA has still mandated urgent patching due to its high severity and potential for remote code execution.

Federal agencies are required to:

  • Patch CVE-2025-66376 by April 1, 2026
  • Patch CVE-2026-20963 by March 23, 2026

Cisco Zero-Day Linked to Interlock Ransomware

The advisory also coincides with findings from Amazon, which revealed that the Interlock ransomware group has been exploiting a critical Cisco vulnerability, CVE-2026-20131 (CVSS 10.0), since January 2026 as a zero-day.

This flaw impacts Cisco firewall management systems and enables attackers to gain root-level access and execute arbitrary code.

The ransomware group has targeted sectors including:

  • Education
  • Healthcare
  • Manufacturing
  • Government
  • Engineering and construction

Growing Trend of Targeting Network Edge Devices

The attacks highlight an ongoing trend where threat actors focus on edge network devices from vendors such as Cisco, Fortinet, and Ivanti to gain initial access.

The use of zero-day vulnerabilities demonstrates that attackers are investing significant resources into discovering unknown weaknesses that can provide privileged access to enterprise networks.




Found this article interesting? Follow us on  X (Twitter) FacebookBlue sky and LinkedIn to read more exclusive content we post.