The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added new vulnerabilities in Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint to its catalog of actively exploited flaws, signaling ongoing real‑world attacks. In parallel, operators of the Interlock ransomware family are reported to be leveraging a critical Cisco firewall management zero‑day, significantly raising the risk level for organizations that rely on these widely deployed platforms.
CISA highlights active exploitation of Zimbra and SharePoint vulnerabilities
According to CISA, the vulnerabilities CVE-2025-66376 in Zimbra Collaboration Suite and CVE-2026-20963 in Microsoft Office SharePoint are being exploited in the wild. Inclusion in CISA’s Known Exploited Vulnerabilities (KEV) list means that exploitation has been observed and that affected systems represent a high‑priority target for attackers, even if detailed public incident reports are not yet available.
Zimbra Collaboration Suite CVE-2025-66376: email infrastructure at risk
Zimbra Collaboration Suite is widely used by government agencies, educational institutions, and commercial enterprises as a platform for corporate email and collaboration. Successful exploitation of CVE-2025-66376 can provide attackers with a foothold into the organization’s email infrastructure, including access to confidential correspondence and user credentials.
Compromised email platforms are a proven launchpad for further intrusion. Historical incidents such as the exploitation of Microsoft Exchange vulnerabilities (e.g., ProxyLogon in 2021) show that mailbox access often leads to business email compromise (BEC), lateral movement, and full domain compromise.
CISA has mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies apply patches addressing CVE-2025-66376 no later than 1 April 2026. For private organizations, the deadline is advisory rather than binding, but the presence of active exploitation makes delaying Zimbra updates a substantial operational and regulatory risk.
Microsoft Office SharePoint CVE-2026-20963: critical collaboration data exposed
Microsoft Office SharePoint serves as a central hub for document management, intranet portals, and automated business workflows. Exploitation of CVE-2026-20963 can allow threat actors to gain access to sensitive internal data and high‑privilege accounts, potentially impacting everything from HR records to intellectual property.
For this vulnerability, CISA has set a more aggressive remediation timeline for FCEB agencies, requiring patches to be installed by 23 March 2026. This reflects SharePoint’s strategic value as a target in advanced intrusions, where compromising a collaboration platform can unlock broad access to core business processes and internal applications.
Interlock ransomware exploits Cisco firewall zero‑day CVE-2026-20131
While agencies rush to patch Zimbra and SharePoint, Amazon has reported that operators of the Interlock ransomware group have been exploiting a critical flaw, CVE-2026-20131, in Cisco firewall management software as a zero‑day since at least 26 January 2026.
With a CVSS score of 10.0, CVE-2026-20131 is rated at the highest severity level. A zero‑day vulnerability is one that is exploited before a patch or even public awareness exists, leaving defenders with no advance opportunity to harden their systems. In such scenarios, attackers hold a marked tactical advantage.
According to Amazon’s analysis, Interlock focuses on sectors where operational downtime directly translates into maximum pressure to pay ransom: education, engineering, architecture, construction, manufacturing, industrial operations, healthcare, and the public sector. In these environments, encryption or disruption of critical IT systems rapidly causes financial losses, safety concerns, and reputational damage, increasing the likelihood of successful extortion.
Edge devices emerge as a primary initial access vector
The exploitation of CVE-2026-20131 aligns with a broader trend: threat actors are systematically targeting edge devices—including firewalls, VPN gateways, and remote access or management appliances—from vendors such as Cisco, Fortinet, and Ivanti.
There are clear reasons for this emphasis. First, these devices typically have direct exposure to the internet, making them easy to identify and probe via automated scanning. Second, compromising an edge device often yields privileged, trusted access into internal networks, bypassing many endpoint‑based security controls such as antivirus and EDR agents.
Past campaigns against VPN and gateway products (for example, attacks on Fortinet and Ivanti Connect Secure appliances observed before 2024) have demonstrated that once a perimeter device is compromised, attackers can deploy web shells, create backdoor accounts, and pivot into sensitive systems with minimal detection.
The fact that CVE-2026-20131 was used as a zero‑day indicates that financially motivated groups like Interlock are increasingly investing in the discovery and weaponization of previously unknown vulnerabilities, a tactic once largely associated with state‑sponsored APT operations.
Priority actions to mitigate Zimbra, SharePoint and edge device risk
1. Enforce disciplined patch and vulnerability management. Regularly monitor security advisories from CISA and vendors such as Synacor, Microsoft, and Cisco. Prioritize rapid deployment of critical patches on internet‑facing systems, especially email, collaboration platforms, and firewall or VPN management interfaces.
2. Inventory and minimize the attack surface. Identify all externally accessible instances of Zimbra, SharePoint, and network edge devices. Disable unnecessary services, restrict management interfaces to VPN or dedicated admin networks, and apply network segmentation and the principle of least privilege to limit blast radius.
3. Strengthen monitoring and logging for edge and collaboration systems. Integrate logs from firewalls, VPN gateways, email gateways, and collaboration platforms into a centralized logging or SIEM solution. Configure alerts for anomalous access patterns, suspicious administration actions, and indicators of known exploit activity.
4. Harden identity security with multi‑factor authentication (MFA). Enforce MFA for all administrative accounts and remote access users, and regularly audit privileged accounts associated with Zimbra, SharePoint, and Cisco management consoles. Even if an exploit succeeds, MFA can hinder attackers’ ability to maintain persistence and escalate privileges.
5. Prepare for incident response on perimeter systems. Develop and test playbooks for responding to suspected edge‑device compromise, including isolating affected appliances, rotating credentials, reviewing configuration changes, and rebuilding from trusted images where necessary.
Recent attacks against Zimbra, SharePoint, and Cisco firewall management software underscore that unpatched internet‑facing systems and neglected edge devices are now among the most attractive entry points for attackers. Organizations of all sizes benefit from treating exploitation attempts as a matter of “when,” not “if”: by tightening vulnerability management, reducing exposed services, and enhancing monitoring around email, collaboration, and perimeter technologies, defenders can substantially lower the likelihood that a single unpatched system will escalate into a major cybersecurity incident.
