The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a strong advisory urging all government agencies to promptly address two critical security vulnerabilities that are affecting widely-used software: Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. This warning comes in light of evidence that these vulnerabilities are not only theoretical risks but have already been actively exploited by malicious actors in real-world scenarios.
The two vulnerabilities under scrutiny are notably severe. The first, identified as CVE-2025-66376, has a CVSS score of 7.2, categorizing it as a high-severity risk. This flaw exists within the Classic UI of ZCS and allows attackers to exploit Cascading Style Sheets (CSS) @import directives embedded in HTML email messages. This vulnerability can be particularly concerning as it may enable unauthorized access to sensitive information. Fortunately, it has been addressed in versions 10.0.18 and 10.1.13, released in November 2025. However, organizations that have not applied these updates remain vulnerable.
The second vulnerability, CVE-2026-20963, boasts an even more alarming CVSS score of 8.8, making it critical. This issue pertains to a deserialization of untrusted data within Microsoft Office SharePoint, which could permit unauthorized attackers to run arbitrary code over a network. Microsoft managed to resolve this vulnerability in a patch released in January 2026, but the window of exploitability necessitates immediate action from all agencies using the software.
The urgency of these alerts was underscored by a recent report from Seqrite Labs, detailing the operations of what is believed to be a Russian state-sponsored group targeting the State Hydrographic Service of Ukraine in a campaign labeled Operation GhostMail. The campaign employs social engineering tactics, tricking victims into opening emails that contain a concealed JavaScript payload. When the targeted individual accesses their Zimbra email in a vulnerable webmail session, the exploit takes effect, leveraging the aforementioned CVE-2025-66376.
Seqrite Labs highlighted that the phishing emails used in this operation are particularly insidious. Unlike traditional threats that may include malicious attachments or deceptive links, the entirety of the attack is embedded in the HTML body of the email. This means there are no obvious red flags for the recipient, reducing the chances of detection.
Once activated, the JavaScript malware executes a series of data-harvesting tactics, effectively capturing credentials, session tokens, two-factor authentication (2FA) recovery codes, saved passwords, and emails from the user’s mailbox for up to 90 days. Importantly, this harvested information is exfiltrated using both DNS and HTTPS protocols, further complicating detection efforts. The specific incident reported occurred on January 22, 2026, and involved an email sent from an account likely compromised during the operations of the National Academy of Internal Affairs.
The modus operandi exhibited in Operation GhostMail is reminiscent of previous attacks attributed to Russian state-sponsored groups, including Operation RoundPress, where similar cross-site scripting (XSS) vulnerabilities in webmail applications have been leveraged to compromise Ukrainian organizations.
Importantly, Seqrite Labs noted that Operation GhostMail exemplifies a shift in tactics among threat actors, who are increasingly opting for browser-based stealers rather than relying on traditional malware binaries. This evolution highlights how cyber adversaries are now embedding obfuscated JavaScript directly within emails, allowing them to intercept sessions without needing to drop additional files or exploit macros—strategies that typically trigger endpoint detection systems.
While initial findings have cataloged the exploitation of CVE-2025-66376, there is still a notable lack of public information regarding CVE-2026-20963, including the identity of the threat actors involved and the scope of the attacks. In light of the pressing nature of these vulnerabilities, CISA has advised Federal Civilian Executive Branch agencies to remediate CVE-2025-66376 by April 1, 2026, and to rectify CVE-2026-20963 by March 23, 2026.
This advisory arrives concurrently with alarming news from Amazon regarding the Interlock ransomware group. The group has been exploiting a severe vulnerability (CVE-2026-20131, with a CVSS score of 10.0) within Cisco’s firewall management software, which has been actionable since January 26, 2026, long before its public disclosure. Interlock ransomware historically targets specific sectors that can generate significant operational pressure, such as education, healthcare, and government agencies, indicating the diverse sectors that are under threat.
This trend of targeting network edge devices from various vendors serves as a stark reminder that cybersecurity risks are not confined to traditional entry points but are pervasive across all layers of organizational infrastructure. The exploitation of vulnerabilities like CVE-2026-20131 underscores the ongoing cat-and-mouse game between cybercriminals and cybersecurity professionals, illustrating that the discovery and exploitation of zero-day vulnerabilities remain a high priority for malicious actors aiming for elevated access within networks. As agencies work to fortify their defenses, the need for vigilance and timely patching could not be more pressing.