CISA Adds Critical SharePoint Deserialization and Zimbra XSS Flaws to KEV Catalog
What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two high‑severity vulnerabilities—CVE‑2026‑20963 in Microsoft SharePoint (CVSS 8.8) and CVE‑2025‑66376 in Zimbra Collaboration Suite (CVSS 7.2)—to its Known Exploited Vulnerabilities (KEV) catalog. Both flaws enable remote code execution or stored cross‑site scripting, respectively, and are slated for mandatory remediation by federal agencies in March‑April 2026.
Why It Matters for TPRM —
- Exploited flaws in widely‑deployed collaboration platforms can cascade to downstream vendors and customers.
- Federal remediation deadlines often become de‑facto industry benchmarks, accelerating patch cycles.
- Unpatched SharePoint or Zimbra instances expose confidential documents, emails, and authentication tokens.
Who Is Affected — Enterprises and agencies using Microsoft SharePoint (on‑premises or SharePoint Online) and organizations running Zimbra Collaboration Suite, across all sectors (finance, healthcare, government, etc.).
Recommended Actions —
- Verify that all SharePoint and Zimbra deployments are patched to the versions addressing CVE‑2026‑20963 and CVE‑2025‑66376.
- Review third‑party service contracts to ensure vendors have applied the fixes.
- Update vulnerability management policies to include KEV catalog items as high‑priority exceptions.
Technical Notes — CVE‑2026‑20963 is a deserialization of untrusted data vulnerability allowing unauthenticated attackers to execute arbitrary code on SharePoint servers. CVE‑2025‑66376 is a stored XSS issue in Zimbra’s Classic UI that can be abused via malicious CSS @import directives in email HTML. Source: SecurityAffairs article