CISA Warns of Actively Exploited Zimbra and SharePoint Vulnerabilities The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging federal agencies to patch two critical vulnerabilities CVE-2025-66376 (CVSS 7.2) in Synacor Zimbra Collaboration Suite (ZCS) and CVE-2026-20963 (CVSS 8.8) in Microsoft Office SharePoint after confirming active exploitation in the wild. ### Zimbra XSS Flaw Exploited in Targeted Cyberespionage The Zimbra vulnerability (CVE-2025-66376), a stored cross-site scripting (XSS) flaw in the Classic UI, was patched in November 2025 (versions 10.0.18 and 10.1.13). However, a suspected Russian state-sponsored threat group has been exploiting it in Operation GhostMail, a campaign targeting Ukraine’s State Hydrographic Service (hydro.gov[.]ua). The attack leverages a socially engineered internship inquiry email, sent on January 22, 2026, from a compromised account at the National Academy of Internal Affairs. The email contains obfuscated JavaScript embedded in its HTML body, which executes when opened in a vulnerable Zimbra webmail session. Unlike traditional phishing, this attack requires no malicious attachments, links, or macros only interaction with the email itself. The malware harvests credentials, session tokens, 2FA backup codes, browser-saved passwords, and 90 days of email data, exfiltrating it via DNS and HTTPS. Seqrite Labs, which uncovered the campaign, noted that this technique aligns with previous Russian operations like Operation RoundPress, which also exploited XSS flaws in webmail software. ### SharePoint Deserialization Flaw Under Active Attack The second vulnerability, CVE-2026-20963, affects Microsoft Office SharePoint and allows remote code execution (RCE) via deserialization of untrusted data. While no public reports detail its exploitation, CISA’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog confirms its use in attacks. Federal agencies must patch it by March 23, 2026. ### Broader Threat Landscape: Edge Device Exploits The advisory follows Amazon’s disclosure that Interlock ransomware operators exploited a maximum-severity Cisco firewall flaw (CVE-2026-20131, CVSS 10.0) as a zero-day since January 26, 2026, weeks before public disclosure. The group has historically targeted education, healthcare, manufacturing, and government sectors, where operational disruption maximizes ransom pressure. CISA added CVE-2026-20131 to its KEV catalog on March 19, 2026, mandating federal agencies to patch by March 22, 2026. The agency also issued an emergency directive for Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128), which have been actively exploited, requiring agencies to submit logs by March 23, 2026. VulnCheck further warned that CVE-2026-20133, another Catalyst SD-WAN flaw, could enable privilege escalation to root by leaking the `vmanage-admin` private key and `confd_ipc_secret`. The firm cautioned that early exploit research may not capture all attack vectors, emphasizing the need for comprehensive patching. Federal agencies must apply fixes for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.

New Rust-Based 01flip Ransomware Targets Critical Infrastructure in Asia-Pacific Researchers from Palo Alto Networks’ Unit 42 have uncovered 01flip, a sophisticated Rust-based ransomware strain actively targeting Windows and Linux systems in coordinated attacks on critical infrastructure across the Asia-Pacific region, particularly in Southeast Asia. The campaign, first detected in April 2025, marks a shift toward cross-platform ransomware designed to evade detection while maximizing impact. ### Attack Anatomy: From Exploitation to Encryption Threat actors gained initial access by exploiting vulnerabilities in outdated, internet-facing applications, including Zimbra Server. Once inside, they deployed the Linux variant of the Sliver post-exploitation framework to conduct reconnaissance, harvest credentials, and map the network indicating hands-on-keyboard operations rather than automated attacks. By late May 2025, the attackers escalated the campaign, manually distributing 01flip ransomware binaries across both Windows and Linux systems, transitioning from infiltration to large-scale encryption and extortion. ### Encryption & Evasion Tactics 01flip employs a methodical encryption process to disrupt operations while complicating recovery: - Systematic drive enumeration (A-Z) and ransom note deployment (RECOVER-YOUR-FILE.TXT) in every writable directory. - AES-128-CBC encryption with RSA-2048-protected session keys, rendering files inaccessible without the attackers’ private key. - File renaming to ORIGINAL_FILENAME.UNIQUE_ID.(0 or 1).01flip, allowing operators to track infections. To evade detection, 01flip leverages Rust’s low-level API calls, runtime string decoding, and anti-sandbox checks, making it difficult for security tools to identify. The Linux variant remained undetected on VirusTotal for nearly three months, demonstrating its stealth capabilities. ### Broader Implications for Ransomware Evolution The 01flip campaign highlights a growing trend: ransomware written in modern languages like Rust for cross-platform flexibility and reduced detection rates. As attackers adopt these techniques, platform-specific defenses alone are insufficient, requiring organizations to strengthen visibility, patching, and detection across all environments. The attack underscores the need for zero-trust principles, as threat actors increasingly move freely between systems, exploiting gaps in identity controls, lateral movement, and recovery preparedness.

Synacor's Zimbra Collaboration Suite (ZCS) has a critical vulnerability (CVE-2019-9621) that allows attackers to manipulate the server into making unauthorized requests to internal or external resources, potentially exposing sensitive data and compromising network security. The vulnerability, classified under CWE-918 and CWE-807, is being actively exploited and poses significant risks to organizations using the platform. CISA has issued an urgent warning, requiring federal agencies to implement necessary mitigations or discontinue use of affected systems by July 28, 2025.