CISA Catalog Updates Highlight Dual Enterprise Threats: Zimbra XSS and SharePoint Deserialization
CISA added two known-exploited vulnerabilities to its KEV catalog: a Zimbra Collaboration Suite XSS flaw and a Microsoft SharePoint deserialization vulnerability. Both are under active exploitation and carry significant risk to federal and enterprise environments.
CVE References
Affected
CISA's addition of these two vulnerabilities to the Known Exploited Vulnerabilities catalog signals confirmed active exploitation in the wild, elevating their priority for defensive action. CVE-2025-66376 represents a cross-site scripting vulnerability in Zimbra, a widely deployed email and collaboration platform often found in enterprise environments. XSS vulnerabilities in email systems are particularly dangerous as they enable account takeover, credential harvesting, and lateral movement within organizations. The second vulnerability, CVE-2026-20963, targets Microsoft SharePoint's deserialization handling—a classic attack vector that frequently leads to remote code execution when exploited against unpatched systems.
The deserialization vulnerability in SharePoint is especially concerning given the platform's ubiquity across federal and commercial enterprises as a document management and collaboration hub. Insecure deserialization of untrusted data has been a persistent weakness in .NET applications and represents a direct path to system compromise. Attackers exploiting this flaw can potentially execute arbitrary code with the privileges of the SharePoint application pool, enabling data exfiltration, system manipulation, and persistence mechanisms.
CISA's mandate under BOD 22-01 requires federal agencies to patch known-exploited vulnerabilities within defined timelines. The catalog addition of these vulnerabilities creates immediate compliance obligations for government entities. However, the practical impact extends far beyond federal networks—commercial organizations relying on Zimbra for email infrastructure or SharePoint for document management should treat these as critical patches requiring expedited deployment.
Defenders must prioritize immediate inventory of affected systems and implement patches without delay. For organizations unable to patch immediately, implementing network segmentation, disabling unnecessary features (e.g., WebDAV in SharePoint if not required), and deploying compensating controls such as WAF rules to block malicious payloads can reduce exposure. Monitoring for exploitation indicators—unusual XSS payloads in Zimbra logs, suspicious deserialization patterns in SharePoint application logs—should be implemented immediately.
Broad implications suggest attackers are aggressively targeting widely-deployed enterprise infrastructure. The dual nature of these advisories (email + document management) indicates a coordinated targeting of communication and data repositories, suggesting threat actors are prioritizing supply-chain and lateral movement opportunities. Organizations should assume both vulnerabilities are being actively weaponized and treat remediation as an emergency operation rather than routine patching.
Sources