CISA Adds Microsoft SharePoint and Zimbra Vulnerabilities to KEV Catalog
CISA added two newly tracked flaws to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-20963 in Microsoft SharePoint and CVE-2025-66376 in Synacor Zimbra Collaboration Suite. The SharePoint issue is a deserialization of untrusted data vulnerability, mapped to CWE-502, that can allow code execution over the network; CISA’s KEV entry describes it as enabling an unauthorized attacker to execute code remotely. The Zimbra issue is a stored cross-site scripting flaw in the Classic UI, mapped to CWE-79, in which attackers can abuse CSS @import directives in email HTML.
CISA’s KEV update requires federal civilian executive branch agencies to remediate the SharePoint flaw by 2026-03-21 and the Zimbra flaw by 2026-04-01, or follow applicable mitigation guidance under BOD 22-01. The GitHub KEV data commit confirms both additions and records the required actions as applying vendor mitigations, following cloud-service guidance where relevant, or discontinuing use if mitigations are unavailable. The reporting also notes that, while the KEV catalog is binding on federal agencies, private organizations should review the catalog and prioritize these vulnerabilities because CISA has identified them as actively exploited.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Seqrite links Zimbra flaw exploitation to Operation GhostMail in Ukraine
Seqrite Labs said exploitation of Zimbra Collaboration Suite flaw CVE-2025-66376 was tied to Operation GhostMail, a suspected Russian state-sponsored campaign. The activity reportedly targeted the State Hydrographic Service of Ukraine via a malicious HTML email used to steal credentials, session tokens, 2FA recovery codes, browser passwords, and mailbox contents.
CISA warns SharePoint CVE-2026-20963 is actively exploited in the wild
CISA said CVE-2026-20963, a critical SharePoint remote code execution flaw, is being actively exploited against unpatched servers. Reporting noted Microsoft had updated its advisory, while CISA said it had not found evidence of ransomware-related exploitation.
CISA orders agencies to remediate exploited SharePoint and Zimbra flaws
After adding CVE-2026-20963 and CVE-2025-66376 to the KEV catalog, CISA directed Federal Civilian Executive Branch agencies to patch the SharePoint flaw by March 21, 2026 and the Zimbra flaw by April 1, 2026. CISA also advised organizations to review the KEV catalog and apply vendor mitigations.
CISA adds five flaws to KEV catalog, including SharePoint and Zimbra
CISA added five newly listed Known Exploited Vulnerabilities affecting Microsoft SharePoint, Synacor Zimbra Collaboration Suite, Wing FTP Server, and Google Chromium/Skia components. The additions were reflected in the KEV data update published on March 18, 2026.
Interlock-linked actors begin exploiting Cisco zero-day CVE-2026-20131
According to Amazon, threat actors linked to the Interlock ransomware operation started exploiting Cisco firewall management software zero-day CVE-2026-20131 before it was publicly disclosed. The activity reportedly began on January 26, 2026.
Microsoft patches SharePoint RCE flaw CVE-2026-20963
Microsoft released a fix for CVE-2026-20963, a deserialization of untrusted data vulnerability in SharePoint Server that can allow unauthenticated remote code execution. Later reporting states the flaw was patched in January 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Updated CISA exploited flaws list adds SharePoint, Zimbra bugs | brief | SC Media
scworld.com
Open sourceCISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks
thehackernews.com
Open sourceCritical Microsoft SharePoint flaw now exploited in attacks
bleepingcomputer.com
Open sourceU.S. CISA adds Microsoft SharePoint and Zimbra flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceAdd Updated KEV Files for 2026-03-18 · cisagov/kev-data@9cf6af0 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Actively Exploited Microsoft SharePoint RCE to KEV Catalog
**CISA** added **CVE-2026-20963**, a **Microsoft SharePoint** deserialization flaw, to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation in the wild. The vulnerability allows an **unauthorized remote attacker** to execute arbitrary code over the network by sending crafted serialized data that SharePoint improperly deserializes, creating a **pre-authentication remote code execution** path. Reporting indicates the specific threat actors behind the attacks have not been publicly identified, but the flaw affects a widely deployed enterprise collaboration platform that often stores sensitive internal documents and communications. The KEV entry triggered urgent remediation requirements, including a **March 21, 2026** deadline for **FCEB agencies** under **Binding Operational Directive 22-01**. Additional reporting notes that the same KEV update also included vulnerabilities in **Wing FTP Server** and **Synacor Zimbra Collaboration Suite**, but the SharePoint issue stands out because of its likely value for **initial access brokers** and **ransomware affiliates** seeking enterprise footholds. Organizations using SharePoint should treat internet-exposed systems as high priority for patching and review for signs of compromise given confirmed in-the-wild exploitation.
Mar 26, 2026
CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog
**CISA** added **CVE-2025-66376** to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation of a **stored cross-site scripting (XSS)** flaw in **Synacor Zimbra Collaboration Suite (ZCS)**. The vulnerability affects the *Classic UI* and allows remote unauthenticated attackers to abuse CSS `@import` directives embedded in email HTML, creating a path to execute malicious JavaScript in a victim's browser session. The KEV entry describes the issue as a **CWE-79** XSS vulnerability and directs organizations to apply vendor mitigations, follow **BOD 22-01** guidance for cloud services, or discontinue use if mitigations are unavailable. CISA ordered **Federal Civilian Executive Branch (FCEB)** agencies to remediate the flaw by **April 1**, while also urging private-sector organizations to patch quickly because the bug is being exploited in the wild. Reporting on the KEV addition notes that the flaw was patched by Zimbra earlier and could enable session hijacking and theft of sensitive data within affected Zimbra environments through malicious HTML email content. The same KEV update also included other unrelated vulnerabilities, but the Zimbra entry is the relevant event tied to the active exploitation warning and federal patching directive.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026