### Actively Exploited Vulnerabilities **CISA** has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for remediation: * **CVE-2025-66376** (CVSS score: 7.2): A stored cross-site scripting (XSS) vulnerability in the Classic UI of **ZCS**. Attackers can exploit this flaw by using Cascading Style Sheets (CSS) @import directives within an HTML email. This issue was addressed in **Zimbra** versions 10.0.18 and 10.1.13, released in November 2025. * **CVE-2026-20963** (CVSS score: 8.8): A deserialization of untrusted data vulnerability in **Microsoft Office SharePoint**. This vulnerability allows unauthorized attackers to execute arbitrary code remotely. **Microsoft** issued a patch for this flaw in January 2026. ### Operation GhostMail: Exploiting Zimbra XSS The addition of **CVE-2025-66376** to the KEV catalog follows a report by **Seqrite Labs**, which uncovered a campaign dubbed "Operation GhostMail." This campaign, attributed to a suspected Russian state-sponsored threat actor, targeted the State Hydrographic Service of Ukraine (hydro.gov[.]ua). **Seqrite Labs** detailed how attackers used a social engineered internship inquiry to deliver an obfuscated JavaScript payload embedded directly within the email body. When a victim opens the email in a vulnerable **Zimbra** webmail session, the payload exploits **CVE-2025-66376**. "The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments." This JavaScript malware is designed to harvest sensitive information, including credentials, session tokens, backup two-factor authentication (2FA) recovery codes, browser-saved passwords, and the contents of the victim's mailbox for the past 90 days. The stolen data is then exfiltrated via both DNS and HTTPS. The campaign aligns with previous attacks by Russian state-sponsored actors, such as Operation RoundPress, which leveraged XSS vulnerabilities in webmail software to compromise Ukrainian organizations. **Seqrite Labs** emphasizes that "Operation GhostMail demonstrates the continued evolution of webmail-focused intrusion, where attackers rely entirely on browser-resident stealers rather than traditional malware binaries. By embedding obfuscated JavaScript directly within an HTML email and exploiting a **Zimbra** webmail XSS condition, the threat actor achieves full session interception without dropping files, exploiting macros, or triggering endpoint-based detections." ### SharePoint Vulnerability Exploitation Currently, there are no public reports detailing the exploitation of **CVE-2026-20963**, including the identity of the threat actor or the extent of the attacks. However, due to its active exploitation, **CISA** strongly advises Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches for **CVE-2025-66376** by April 1, 2026, and for **CVE-2026-20963** by March 23, 2026. ### Interlock Ransomware and Cisco Zero-Day This disclosure coincides with news from **Amazon** that threat actors associated with **Interlock** ransomware have been exploiting a critical security flaw in **Cisco's** firewall management software (**CVE-2026-20131**, CVSS score: 10.0) since January 26, 2026, before its public disclosure. According to **Amazon**, "**Interlock** has historically targeted specific sectors where operational disruption creates maximum pressure for payment," including education, engineering, architecture, construction, manufacturing, industrial, health care, and government entities. This incident underscores the persistent trend of threat actors targeting edge network devices from various vendors, such as **Cisco**, **Fortinet**, and **Ivanti**, to gain initial access to target networks. The weaponization of **CVE-2026-20131** as a zero-day exploit demonstrates the significant investment attackers are making to discover previously unknown vulnerabilities that provide elevated access. ### CISA Adds Cisco Flaw to KEV Catalog On March 19, 2026, **CISA** added **CVE-2026-20131** to its Known Exploited Vulnerabilities (KEV) catalog, mandating that FCEB agencies update their systems to the latest version by March 22, 2026. Furthermore, late last month, **CISA** issued an emergency directive urging FCEB agencies to mitigate recently disclosed vulnerabilities in **Cisco** Catalyst SD-WAN systems (**CVE-2026-20127**, **CVE-2022-20775**, **CVE-2026-20122**, and **CVE-2026-20128**) that are under active exploitation. Agencies were required to report "all syslog logging" and other relevant cloud logs by March 23, 2026. ### VulnCheck Analysis of Cisco SD-WAN Flaw A report published last week by **VulnCheck** revealed that **CVE-2026-20133**, another vulnerability in Catalyst SD-WAN, poses a "higher risk than defenders may realize" and is likely to be targeted by attackers. **VulnCheck** stated that the file system access granted by the vulnerability can be exploited to extract the "vmanage-admin" user's private key, compromising the Network Configuration Protocol (NETCONF) used to configure and manage SD-WAN devices. Additionally, the vulnerability can be weaponized to leak confd_ipc_secret, allowing any local user to escalate to an unconstrained root shell. **VulnCheck** researchers Caitlin Condon and Josh Shomo cautioned that "Early exploits and industry attention on emerging threats can be useful for understanding likely exploitation paths and vulnerability nuances, but they can also lead organizations astray when they rely on untested research artifacts or overly narrow focus on specific attack paths."