Overview
- Federal agencies must patch Microsoft SharePoint CVE-2026-20963 by March 21 and Zimbra CVE-2025-66376 by April 1, per CISA's KEV listings.
- SharePoint CVE-2026-20963 enables unauthenticated remote code execution via deserialization of untrusted data and affects Server 2016, 2019 and Subscription Edition, with fixes issued in January.
- Microsoft updated its advisory this week but has not marked the SharePoint flaw as under active attack, and CISA has not shared indicators or scope of exploitation.
- Zimbra CVE-2025-66376 is a stored XSS in the Classic UI abusing CSS @import in HTML emails, patched in November 2025 in versions 10.0.18 and 10.1.13, with potential for session hijacking and data theft.
- Seqrite Labs reports Russian state-backed APT28 used the Zimbra XSS bug against Ukrainian targets to steal credentials and mailbox data, while CISA urges all organizations to apply vendor fixes promptly.