Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild. The vulnerabilities in question are as follows - CVE-2025-66376 (CVSS score: 7.2) - A stored cross-site scripting
Analysis Summary
# Vulnerability: Stored XSS in Zimbra Collaboration Suite (ZCS)
## CVE Details
- **CVE ID:** CVE-2025-66376
- **CVSS Score:** 7.2 (High)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** Synacor Zimbra Collaboration Suite (ZCS)
- **Versions:** Versions prior to 10.0.18 and 10.1.13
- **Configurations:** Systems utilizing the **Classic UI** interface.
## Vulnerability Description
This is a stored cross-site scripting (XSS) vulnerability existing in the Zimbra Classic UI. The flaw stems from improper sanitization of Cascading Style Sheets (CSS) `@import` directives within HTML email messages. An attacker can send a specially crafted email that, when viewed by a victim, executes malicious scripts in the context of the user's session.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog)
- **Complexity:** Medium
- **Attack Vector:** Network (Email-based)
## Impact
- **Confidentiality:** High (Potential theft of session cookies, authentication tokens, and sensitive mailbox data)
- **Integrity:** Medium (Potential to perform unauthorized actions on behalf of the user)
- **Availability:** None reported
## Remediation
### Patches
Update Zimbra Collaboration Suite to the following versions or later:
- **ZCS 10.0.18**
- **ZCS 10.1.13**
### Workarounds
No specific workarounds were provided in the source; however, migrating users from the "Classic UI" to the "Modern UI" may mitigate the specific attack vector described.
## Detection
- **Indicators of compromise:** Look for unusual HTML emails containing CSS `@import` tags pointing to external or suspicious domains.
- **Detection methods and tools:** Audit web server logs for suspicious script execution originating from the Zimbra web interface. Use automated vulnerability scanners to confirm ZCS versioning.
## References
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- Zimbra Security Advisories: hxxps[://]wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- CVE Record: hxxps[://]www.cve.org/CVERecord?id=CVE-2025-66376
---
# Vulnerability: SharePoint Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2026-20963
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft Office SharePoint
- **Versions:** Multiple versions (Refer to Microsoft January 2026 Security Update)
- **Configurations:** Network-accessible SharePoint instances.
## Vulnerability Description
This vulnerability involves the deserialization of untrusted data. An unauthorized (unauthenticated) attacker can send a malicious request to a vulnerable SharePoint server over the network. If successfully processed, the flaw allows the attacker to execute arbitrary code in the context of the SharePoint server process.
## Exploitation
- **Status:** Exploited in the wild
- **Complexity:** Low/Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- Apply the **Microsoft January 2026** cumulative security updates for SharePoint Server.
### Workarounds
None provided; immediate patching is required due to the RCE nature of the flaw.
## Detection
- Monitor for unexpected network traffic to SharePoint endpoints, particularly those involving serialized objects.
- Use CISA’s KEV catalog to prioritize patching schedules (Deadline: March 23, 2026).
## References
- Microsoft Security Update Guide: hxxps[://]msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963
- CISA Alert: hxxps[://]www.cisa.gov/news-events/alerts/2026/03/18/cisa-adds-one-known-exploited-vulnerability-catalog-0