The U.S. Cybersecurity and Infrastructure Security Agency advisory urged government agencies on March 18, 2026 to apply patches for two vulnerabilities in Synacor Zimbra and Microsoft SharePoint that are being actively exploited.
KEY FACTS
- Incident Active exploitation reported for two server vulnerabilities
- Zimbra CVE-2025-66376 is a stored XSS fixed in Zimbra versions 10.0.18 and 10.1.13
- SharePoint CVE-2026-20963 is a deserialization flaw fixed in January 2026
The advisory links the Zimbra issue to a webmail campaign that targeted the State Hydrographic Service of Ukraine via a crafted HTML email. The attack chain uses an embedded, obfuscated JavaScript payload that executes when a message is opened in a vulnerable Zimbra Classic UI session.
The embedded script is reported to harvest credentials, session tokens, backup two factor recovery codes, browser saved passwords and mailbox contents going back 90 days. Exfiltration occurred over DNS and HTTPS, and one message was sent on January 22, 2026 from a likely compromised address.
The advisory names the two tracked vulnerabilities as CVE-2025-66376, a stored cross site scripting bug with a CVSS score of 7.2, and CVE-2026-20963, a network accessible deserialization flaw with a CVSS score of 8.8.
Federal Civilian Executive Branch agencies are given patch deadlines in the advisory: apply fixes for CVE-2025-66376 by April 1, 2026 and for CVE-2026-20963 by March 23, 2026. The advisory also notes there are no public reports identifying the actor or scale of exploitation for the SharePoint flaw.
WHY IT MATTERS
Unpatched webmail and server software can allow credential and session theft without traditional malware files. Applying the published patches reduces the immediate risk to organizations running the affected products.