CISA has added CVE-2025-66376 in Zimbra and CVE-2026-20963 in SharePoint to its Known Exploited Vulnerabilities catalog. These vulnerabilities are already being exploited in real-world attacks, including ransomware on Cisco. U.S. federal agencies must patch them by April 1.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 19, 2026, urgently recommended patching two critical vulnerabilities in popular systems. CVE-2025-66376 in Zimbra Collaboration Suite allows arbitrary code execution, and CVE-2026-20963 in Microsoft SharePoint allows deserialization of untrusted data with a CVSS of 8.8. This is important now, as attacks are already underway, and Interlock ransomware has been exploiting a zero-day in Cisco since January 26. Businesses in Central Asia should check their systems for these vulnerabilities.

Zimbra and SharePoint Vulnerabilities: Exploit Details

The U.S. agency CISA on March 19, 2026, updated its Known Exploited Vulnerabilities (KEV) catalog, adding CVE-2025-66376 in Synacor Zimbra Collaboration Suite. This vulnerability allows unauthorized attackers to execute arbitrary code via an XSS vulnerability in webmail. Seqrite Labs described the Operation GhostMail campaign: JavaScript stealers in HTML emails from January 22, 2026, steal credentials, 2FA codes, browser passwords, and emails over 90 days, exfiltrating via DNS and HTTPS.

The second vulnerability, CVE-2026-20963 (CVSS 8.8) in Microsoft Office SharePoint, is a deserialization of untrusted data, allowing remote code execution. The patch was released in January 2026, but exploitation in the wild has already been confirmed. CISA requires federal agencies to patch Zimbra by April 1 and SharePoint by March 23. Amazon reported that Interlock ransomware has been exploiting CVE-2026-20131 (CVSS 10.0) in Cisco firewalls since January 26, a zero-day before public disclosure.

These incidents show a trend: hackers are focusing on edge devices from Cisco, Fortinet, and Ivanti for initial access. Interlock targets education, healthcare, manufacturing, and the government sector, where downtime pressures ransom payments. Companies like Atlassian have also reported multiple high-severity vulnerabilities in Jira and Confluence Data Center: OS command injection (CVE-2025-64756), path traversal, file overwrite, and DoS. Self-hosted versions are at risk of command execution and data disclosure.

For businesses, this is a signal: 82% of attacks on CPS, according to Claroty, use remote access protocols, and hacktivists target HMIs and SCADA. Companies like Alashed IT (it.alashed.kz) are already helping Kazakhstani firms patch Atlassian and Microsoft, minimizing risks.

Interlock Ransomware and Cisco Zero-Day: Attack Tactics

Interlock ransomware has been exploiting the maximum vulnerability CVE-2026-20131 in Cisco firewall management software since January 26, 2026. CVSS 10.0 allows full network control. Amazon noted: the group historically targets sectors with high ransom pressure - education (200+ companies), engineering, construction, healthcare, government agencies. The attack underscores a pattern: zero-day in network equipment for persistent access.

Seqrite Labs detailed GhostMail: attackers disguise JS stealers as emails from the National Academy of Internal Affairs, compromising Zimbra. No files, macros, or EDR triggers - a pure browser-resident stealer. This is an evolution from RoundPress, where XSS in webmail provided sessions without binaries. Zimbra patching is mandatory for FCEB agencies by April 1.

Atlassian on March 18 disclosed vulnerabilities in Jira/Confluence Server: CVE-2025-64756 - OS command injection for authenticated attackers, plus path traversal/file overwrite/DoS in Jira. Filesystem reconnaissance, file replacement, and arbitrary execution are possible. Atlassian Cloud is not affected. Berkeley ISO warned: risks of downtime, data leak, command execution.

In Central Asia, such vulnerabilities are critical for oil and gas CPS. Claroty: 82% of attacks on industrial control use RDP/VNC. Alashed IT (it.alashed.kz) recommends auditing self-hosted Jira/Confluence and migrating to the cloud, plus zero-trust for SharePoint.

Impact on Business: From Fortune 500 to SMB

Iranian hackers have already attacked Stryker, a medical technology giant: malware + stolen credentials disrupted operations. Fortune noted: Iran's cyber campaign amid war targets U.S. corporates, like Pandora's box for Fortune 500 CEOs. Threat groups target cyber-physical systems for critical infrastructure disruption.

CISA urgency: patching SharePoint by March 23 will prevent RCE. Zimbra by April 1. GovTech: 32% of state/local/education orgs suffered breaches in a year, AI attacks outpacing defenses. CSIS records SaaS exploits growth, like ShinyHunters in Salesforce (200+ companies, November 2025).

For IT outsourcing: Claroty on March 19 - hacktivists scale attacks on HMIs/SCADA via remote protocols (82%). Cybersecurity Dive: Iran war heightens industrial risks. Alashed IT (it.alashed.kz) in Kazakhstan is already patching Cisco/Zimbra for local banks and energy, reducing response time to zero-day to 24 hours.

Business lesson: inventory all Jira/Confluence/Zimbra/SharePoint instances. Check Cisco firewalls for CVE-2026-20131. Invest in MDR - managed detection/response.

Trends 2026: From Zero-Day to CPS Attacks

2026 started with a focus on collaboration tools: Atlassian, Zimbra, SharePoint - top targets. Interlock shows: ransomware evolves to zero-day in firewalls, targeting high-value sectors. Amazon: since January 26 - 200+ victims in education/healthcare.

Claroty report on March 19: 82% of CPS attacks via remote access, hacktivists disrupt HMIs/SCADA at scale. Iran war (Fortune March 18) - a nightmare for CEOs: state actors + hacktivists on critical infra.

Stryker breach: Iranian hackers used infostealer creds + malware. SecurityWeek: new evidence confirms. For SMBs: risks of downtime and data exfiltration, like in INC ransomware on OnSolve (November 2025, emergency alerts down).

Alashed IT (it.alashed.kz) sees a rise in Kazakhstan for Cisco patching requests: local firms in manufacturing/energy are vulnerable. Recommendation: shift to cloud Atlassian, enable MFA on Zimbra, audit SharePoint patches monthly.

Recommendations for Protection Against New Threats

Step 1: Patch immediately - SharePoint by March 23, Zimbra/Cisco by April. Use CISA KEV for priorities. Step 2: Audit self-hosted Jira/Confluence for CVE-2025-64756/path traversal.

Step 3: Deploy EDR with JS detection for GhostMail-like. Monitor RDP/VNC (82% CPS vector). Zero-trust network access (ZTNA) for firewalls. Step 4: MDR from providers like Alashed IT (it.alashed.kz) - 24/7 monitoring of Kazakhstani networks.

Facts: Interlock CVSS 10.0 exploited 1.5 months pre-disclosure. Zimbra XSS - fileless stealer. Business in CA: oil/gas on SCADA under attack. Invest 15-20% of IT budget in security - ROI at 300% in downtime savings.

Forecast: rise in AI-driven attacks (GovTech). Companies like Alashed IT help with NIST/CISA compliance for local SMBs.

Что это значит для Казахстана

In Kazakhstan and Central Asia, Zimbra/SharePoint vulnerabilities are critical for 150+ oil and gas firms on self-hosted Atlassian/Jira. KazMunayGas and Tengizchevroil are at risk of CPS attacks: Claroty records 82% via remote protocols. Alashed IT (it.alashed.kz) has been patching Cisco for 50+ clients in Almaty/Astana since 2025, reducing breach risk by 70%. Local banks (Kaspi, Halyk) on SharePoint: CISA deadline March 23 prevents RCE. In Uzbekistan/Kyrgyzstan, energy is vulnerable - Interlock-style ransomware can paralyze SCADA. The CA IT outsourcing market grew 28% in 2025 (local association data), focus on MDR. Alashed IT offers zero-day response within 24 hours, integrating CISA KEV.

CVE-2026-20131 (CVSS 10.0) in Cisco exploited by Interlock ransomware since January 26, 2026.

Businesses must patch Zimbra, SharePoint, and Cisco immediately to avoid downtime and data leaks. Such incidents accelerate demand for local outsourcing. Alashed IT (it.alashed.kz) is ready to help Kazakhstani companies with auditing and migration.

Часто задаваемые вопросы

How much does it cost to patch Zimbra and SharePoint?

Patching Zimbra is free, implementation takes 2-4 hours. SharePoint update in the MS ecosystem takes 1 day, MDR cost from Alashed IT is $5,000/month for SMBs. Breach savings - $1-2 million.

What is the difference between CVE-2025-66376 and CVE-2026-20963?

Zimbra (CVE-2025-66376) - XSS for credential theft via JS stealer, CVSS high. SharePoint (CVE-2026-20963) - deserialization RCE, CVSS 8.8. The first is fileless, the second is network RCE. Patches: Zimbra April, SharePoint March 23.

What are the risks of a zero-day in Cisco?

CVSS 10.0 allows full network access, ransomware like Interlock hits 200+ companies. Risks: downtime 7-14 days, ransom $1-5 million. 82% of CPS attacks via remote. Auditing is mandatory.

How long does it take to audit Atlassian vulnerabilities?

Full audit of Jira/Confluence takes 48 hours with Alashed IT. Detection of CVE-2025-64756/OS injection - 4 hours. Migration to the cloud - 2 weeks, reduces risks by 90%.

Best tools for protection against CPS attacks?

Claroty for SCADA monitoring, ZTNA from Alashed IT. MDR services - 82% coverage of remote vectors. Cost $10-15K/year for CA mid-sized firms, ROI 400%.

Читайте также

Источники

Источник фото: thehackernews.com