Exploited in the Wild: CISA Warns of Active Attacks on Microsoft SharePoint and Zimbra

The Cybersecurity and Infrastructure Security Agency (CISA) has officially expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-risk flaws that are currently being weaponized by cyber actors. The additions—a critical remote code execution (RCE) bug in Microsoft SharePoint and a stored cross-site scripting (XSS) flaw in Zimbra Collaboration Suite—underscore the persistent threat to both federal networks and private enterprises.

The most severe of the two, CVE-2026-20963, is a remote code execution vulnerability in Microsoft SharePoint with a CVSS score of 9.8. This flaw is rooted in the “deserialization of untrusted data,” a classic vulnerability pattern that allows an unauthorized attacker to execute code over a network without needing any credentials.

In a typical network-based attack, a malicious actor could “write arbitrary code to inject and execute code remotely on the SharePoint Server”. While Microsoft released a fix for this during its January Patch Tuesday, the transition of this bug to the KEV catalog indicates that attackers are successfully finding and compromising unpatched servers.

The second addition, CVE-2025-66376, targets the Synacor Zimbra Collaboration Suite (ZCS). This vulnerability allows for “Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message”.

By crafting a specific email, an attacker can embed malicious styles that trigger the execution of scripts within the victim’s browser context when the email is viewed. This affects ZCS version 10 (before 10.0.18) and version 10.1 (before 10.1.13).

These types of vulnerabilities are “frequent attack vectors for malicious cyber actors and pose significant risks”. While the CISA mandate technically only applies to federal agencies, the KEV catalog serves as a critical “to-do list” for security administrators everywhere. If CISA says it’s being exploited, it means your organization is likely in the crosshairs if you haven’t updated yet.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.