CISA Flags Three Critical Exploited Flaws Across Email, SharePoint, and Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a triple-threat advisory on March 18, 2026, warning federal agencies and critical infrastructure operators of active exploitation across three widely deployed platforms. Two vulnerabilities — one in Synacor Zimbra Collaboration Suite (ZCS) and one in Microsoft Office SharePoint — were added to CISA's Known Exploited Vulnerabilities (KEV) catalog, while a maximum-severity zero-day in Cisco Secure Firewall Management Center was simultaneously confirmed as the vector used by the Interlock ransomware gang in attacks dating back to January 26, 2026.
The advisories were first reported by The Hacker News on March 19, 2026.
CISA KEV Additions — March 18, 2026
| CVE | Product | Severity | Type | KEV Added | FCEB Deadline |
|---|---|---|---|---|---|
| CVE-2025-66376 | Zimbra Collaboration Suite 10.x | Medium–High | Stored XSS | March 18, 2026 | April 1, 2026 |
| CVE-2026-20963 | Microsoft SharePoint Server | 8.8 High | Deserialization RCE | March 18, 2026 | March 21, 2026 (URGENT) |
Note: The March 21 deadline for CVE-2026-20963 gives Federal Civilian Executive Branch (FCEB) agencies only 3 days to patch — reflecting CISA's assessment of the severity and active exploitation risk.
CVE-2025-66376: Zimbra Collaboration Suite Stored XSS
Overview
A stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) Classic UI allows attackers to embed malicious JavaScript via CSS @import directives in HTML email messages. When a victim opens or previews the crafted email, the script executes in their browser session — enabling session token theft, credential harvesting, or account takeover without any further user interaction beyond reading mail.
| Attribute | Value |
|---|---|
| CVE | CVE-2025-66376 |
| CWE | CWE-79 — Stored Cross-Site Scripting |
| CVSS (NIST) | 6.1 Medium |
| CVSS (Patchstack/CNA) | 7.2 High |
| Affected Versions | ZCS 10.0.0–10.0.17 and 10.1.0–10.1.12 |
| Fixed Versions | 10.0.18 and 10.1.13 (released November 2025) |
| Exploitation Status | Actively exploited in the wild |
| FCEB Patch Deadline | April 1, 2026 |
How It Works
1. Attacker crafts an HTML email containing a <style> block
with a CSS @import directive pointing to attacker-controlled URL
2. Victim receives and opens the email in Zimbra Classic UI
3. Zimbra Classic UI renders the HTML email without stripping @import
4. Browser loads external CSS resource — triggering XSS payload execution
5. Attacker harvests Zimbra session cookie or executes further actions
in the context of the victim's authenticated sessionWhy This Matters
Zimbra is deployed extensively in government, military, financial, and enterprise environments — often as the primary email platform for tens of thousands of users. Stored XSS in a mail client is particularly dangerous because:
- The attack is weaponized via a single email — no phishing link to click
- The payload fires on mail open or preview — passive victims are at risk
- Session tokens harvested via XSS give full mailbox and often SSO access
- Patches have been available since November 2025 — a months-long window of exposure for unpatched orgs
CVE-2026-20963: Microsoft SharePoint Server Deserialization RCE
Overview
A deserialization of untrusted data vulnerability in Microsoft Office SharePoint allows a network-authenticated attacker with low-level privileges to execute arbitrary code on the SharePoint server. No elevated permissions or user interaction are required beyond basic authenticated access — a low bar in most enterprise environments.
| Attribute | Value |
|---|---|
| CVE | CVE-2026-20963 |
| CWE | CWE-502 — Deserialization of Untrusted Data |
| CVSS Score | 8.8 High |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Affected Versions | SharePoint Server 2016 (Enterprise), 2019, Subscription Edition (< 16.0.19127.20442) |
| Fixed | January 2026 Microsoft Security Update |
| Exploitation Status | Actively exploited in the wild |
| FCEB Patch Deadline | March 21, 2026 (3 days) |
Attack Profile
Unlike CVE-2025-66376, which requires only a delivered email, CVE-2026-20963 requires an authenticated session — but this bar is routinely cleared by:
- Phishing-acquired credentials (common precursor to SharePoint attacks)
- Password spraying against low-security accounts
- Credential reuse from prior breaches
- Insider threat or compromised contractor accounts
Once an attacker authenticates with any valid SharePoint account, exploitation achieves full code execution on the SharePoint server — a high-value target given SharePoint's typical role storing sensitive documents, intranet data, and business workflows.
Cisco FMC CVE-2026-20131: Ransomware Confirmed (CVSS 10.0)
The third vulnerability in CISA's March 18 advisory references CVE-2026-20131, the maximum-severity (CVSS 10.0) insecure deserialization flaw in Cisco Secure Firewall Management Center that Interlock ransomware has been exploiting as a zero-day since January 26, 2026 — weeks before its public disclosure in March.
| Attribute | Value |
|---|---|
| CVE | CVE-2026-20131 |
| CVSS Score | 10.0 CRITICAL |
| Authentication Required | None |
| Impact | Unauthenticated root RCE on Cisco FMC |
| Exploited By | Interlock ransomware group |
| Exploitation Since | January 26, 2026 (zero-day) |
This vulnerability was previously covered in detail in our Interlock ransomware Cisco FMC zero-day analysis.
Impact Assessment
| Vulnerability | Impact Area | Risk |
|---|---|---|
| CVE-2025-66376 (Zimbra XSS) | Mailbox takeover via session hijack | High — email-borne, passive execution |
| CVE-2026-20963 (SharePoint RCE) | Full server compromise, document exfiltration | High — any authenticated user |
| CVE-2026-20131 (Cisco FMC) | Network security infrastructure takeover | Critical — unauthenticated, CVSS 10.0 |
Recommendations
For All Organizations
- Patch all three vulnerabilities immediately. FCEB agencies have hard deadlines; private sector organizations should treat KEV additions as high-urgency regardless of compliance requirements.
- Prioritize CVE-2026-20963 (SharePoint) — the March 21 deadline signals CISA's view that exploitation is escalating rapidly.
- Review CISA KEV catalog regularly and align patch SLAs to KEV additions.
For Zimbra Administrators
- Update to ZCS 10.0.18 or 10.1.13 (patches available since November 2025)
- Disable HTML email rendering in Classic UI as a temporary mitigation if patching is delayed
- Audit webmail access logs for unusual session activity since November 2025
- Consider migrating from Classic UI to Zimbra Modern UI if the Classic UI is not required
For SharePoint Administrators
- Apply the January 2026 Microsoft Security Update — the patch has been available for months
- Audit SharePoint server event logs for suspicious web requests and process spawning
- Restrict SharePoint access to VPN or named networks if public-facing
- Enforce MFA on all SharePoint-authenticated accounts to raise the authentication bar
For Cisco FMC Operators
- Patch CVE-2026-20131 immediately — see our full advisory and response guide
- Treat any unpatched FMC as potentially compromised since January 2026
- Restrict FMC management interface to dedicated management VLANs only — never expose to the internet
Key Takeaways
- Three high-severity exploited vulnerabilities disclosed on a single day signals heightened threat actor activity in early 2026
- CVE-2026-20963 (SharePoint) has a 3-day patch deadline — the shortest possible under CISA KEV rules — reflecting severe active exploitation
- CVE-2025-66376 (Zimbra XSS) has been patchable since November 2025; organizations running unpatched Zimbra have been exposed for over four months
- Cisco FMC CVE-2026-20131 confirms ransomware groups are now consistently weaponizing network management plane vulnerabilities for maximum organizational impact
- All three CVEs follow the same pattern: well-known, patchable vulnerabilities being actively exploited well after patches were released — underscoring that patching velocity remains the primary defensive gap
- Organizations should verify these three products against current patch levels today, not during the next scheduled maintenance window