Ethical Hacking News
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, namely CVE-2026-20963 in Microsoft SharePoint and CVE-2025-66376 in Synacor Zimbra Collaboration Suite. This move is aimed at alerting federal agencies, private sector organizations, and other stakeholders to the potential risks associated with these vulnerabilities. The added vulnerabilities have been assigned high severity scores, indicating their potential impact on organizations.
Federal agencies are required to address CVE-2026-20963 and CVE-2025-66376 by March 21, 2026, and April 1st, 2026, respectively. The vulnerabilities allow for deserialization of untrusted data in Microsoft SharePoint and stored XSS vulnerability in Synacor Zimbra Collaboration Suite. Private organizations are recommended to review the KEV catalog and address these vulnerabilities to prevent unauthorized access, data breaches, and cyber attacks.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, namely CVE-2026-20963 in Microsoft SharePoint and CVE-2025-66376 in Synacor Zimbra Collaboration Suite. This move is aimed at alerting federal agencies, private sector organizations, and other stakeholders to the potential risks associated with these vulnerabilities.
The first vulnerability added to the KEV catalog, CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network. This vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 8.8, indicating its high severity and potential impact on organizations.
In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server. This means that even if an organization has taken steps to secure their network, they may still be vulnerable to this type of attack if they are using Microsoft SharePoint.
The second vulnerability added to the KEV catalog, CVE-2025-66376, is a stored XSS vulnerability in the Classic UI of Synacor Zimbra Collaboration Suite. This vulnerability allows attackers to abuse CSS @import directives in email HTML, which can be used to inject malicious code into the victim's system.
According to the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have been ordered to address the identified vulnerabilities by specific deadlines. For CVE-2026-20963, federal agencies are required to fix the vulnerability by March 21, 2026, while for CVE-2025-66376, the deadline is April 1st, 2026.
Experts recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure. This is crucial in preventing unauthorized access, data breaches, and other types of cyber attacks.
In recent days, there have been several high-profile data breaches and cyber attacks reported across various industries. For example, a robotic surgery firm called Intuitive reported a data breach after being targeted by a phishing attack. Additionally, a major food chain like Starbucks was impacted by a data breach that affected over 889 employees.
The recent addition of these vulnerabilities to the KEV catalog serves as a reminder of the ongoing threat landscape and the importance of staying vigilant when it comes to cybersecurity. As organizations continue to rely on technology to conduct their operations, they must also prioritize security measures to protect against potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Microsoft-SharePoint-and-Zimbra-Flaws-to-Known-Exploited-Vulnerabilities-Catalog-ehn.shtml
https://securityaffairs.com/189628/security/u-s-cisa-adds-microsoft-sharepoint-and-zimbra-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2025/02/cisa-adds-microsoft-and-zimbra-flaws-to.html
https://nvd.nist.gov/vuln/detail/CVE-2026-20963
https://www.cvedetails.com/cve/CVE-2026-20963/
https://nvd.nist.gov/vuln/detail/CVE-2025-66376
https://www.cvedetails.com/cve/CVE-2025-66376/
Published: Wed Mar 18 19:19:38 2026 by llama3.2 3B Q4_K_M
