INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Zimbra XSS Flaw Exploits Microsoft SharePoint Vulnerability

| 2026-03-19 14:48 CRITICAL HIGH
JSON
Executive Summary AI-generated
Russian APTs have been exploiting a high-severity XSS vulnerability in Zimbra Collaboration, tracked as CVE-2025-66376. This attack leverages insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine. The threat actor is linked to Russia-linked groups such as APT28 (aka UAC-0001), Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM. The campaign has been attributed with a phishing email that appears legitimate, using a compromised student account to target Ukraine's State Hydrology Agency. This attack differs from previous ones in its use of an HTML email XSS payload, dual-channel exfiltration, and structured SOAP API abuse. US CISA has added the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.
Technical Mitigations AI-generated
* Implement secure email filtering and content inspection: Use email security solutions that can detect and block malicious emails, such as SPF, DKIM, and DMARC, to prevent phishing attacks. * Regularly update and patch Zimbra Collaboration Suite (ZCS): Ensure all Zimbra installations are up-to-date with the latest patches and updates from Synacor and Microsoft to fix known vulnerabilities like CVE-2025-66376. * Use a web application firewall (WAF) or intrusion detection system: Install a WAF or IDS to detect and block suspicious traffic, reducing the risk of exploitation by attackers. * Implement multi-factor authentication (MFA): Require users to authenticate with MFA, such as two-factor authentication (2FA), to prevent unauthorized access even if an attacker gains access through phishing or other means.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation GhostMailOperation GhostMailOperation RoundPressOperation RoundPress APT28APT28APT29APT29Winter VivernWinter Vivern SednitSednitSofacySofacy CVE-2026-2096CVE-2026-2096 CVE-2026-20963CVE-2026-20963 CVE-2025-66376CVE-2025-66376 CVE-2026-20131CVE-2026-20131 CVE-2025-27915CVE-2025-27915
Target & Sectors
NORTH_AMERICA NORTH_AMERICA maritimemaritime defensedefense healthhealth governmentgovernment manufacturingmanufacturing educationeducation
Incident Timeline
November 2021
Threat actors exploited a Zimbra XSS vulnerability CVE-2025-66376 to target Ukrainian agencies.
attribution the Binding Operational Directive (
agencies two weeks to secure their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
June 2022
Threat actors exploited a previously unknown Remote Code Execution vulnerability in Zimbra, allowing them to breach over 1,000 servers.
tactic Remote Code Execution
For instance, as early as June 2022, Zimbra auth-bypass and remote code execution bugs were abused to breach more than 1,000 servers .
infrastructure 1,000 servers
For instance, as early as June 2022, Zimbra auth-bypass and remote code execution bugs were abused to breach more than 1,000 servers .
September 2022
Hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite to breach nearly 900 Ukrainian servers via an XSS flaw.
tactic Remote Code Execution
Starting in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching nearly 900 servers within two months after gaining remote code execution on compromised instances.
infrastructure 900 servers
Starting in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching nearly 900 servers within two months after gaining remote code execution on compromised instances.
September 2024
Threat actors used a Zimbra XSS flaw CVE-2025-66376 to target Ukrainian organizations via the Interlock ransomware operation.
tactic Ransomware
The Interlock ransomware operation  surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.
organisation ClickFix
The Interlock ransomware operation  surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.
November 2025
Russian APT actors exploited a Zimbra XSS flaw CVE-2025-66376 in versions 10.0.18 and 10.1.13 to target Ukraine.
infrastructure 10.1.13
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
infrastructure 10.0.18
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
vulnerability CVE-2026-20963
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
infrastructure 8.8
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
general_metric 8.8 Fixed CVE-2026 CVSS score
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
20 Jan 2026
Russian APTs targeted Ukraine via Zimbra XSS flaw CVE-2025-66376, setting up C2 infrastructure on domains js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua and js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua.
source_region Russian Federation
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
threat_actor APT28
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
tactic Phishing
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
tactic Exfiltration
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
organisation Cozy Bear
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
threat_actor APT29
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
threat_actor Winter Vivern
The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse.
January 22, 2026
The National Academy of Internal Affairs was targeted by Russian APT actors via exploitation of a Zimbra XSS vulnerability CVE-2025-66376.
organisation the National Academy of Internal Affairs
The email message was sent on January 22, 2026, from a likely compromised email address belonging to the National Academy of Internal Affairs.
January 22
Threat actors exploited a Zimbra XSS vulnerability CVE-2025-66376 to compromise the email accounts of a national maritime agency on January 22.
industry Maritime
A national maritime agency was targeted on January 22 using a compromised student email.
January 2026
Russian APT actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukraine in January 2026.
Jan 2026
Threat actors used a Zimbra XSS flaw CVE-2025-66376 to target Ukrainian government entities.
threat_actor APT28
ZIMBRA, Operation GhostMail is attributed to APT28 with medium confidence.
organisation SpyPress
Based on targeting and payload similarities to SpyPress.
January 26, 2026
Threat actors associated with Interlock ransomware exploited a Zimbra XSS flaw CVE-2025-66376 in Cisco's firewall management software.
tactic Ransomware
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
vulnerability CVE-2026-20131
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
infrastructure 10.0
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
organisation Amazon
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
organisation CVSS
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
organisation Amazon Integrated Security
"While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026," said CJ Moses, CISO of Amazon Integrated Security.
organisation MadPot
According to data gleaned from the tech giant's MadPot global sensor network , the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco.
2026-02-16
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to compromise Catalyst SD-WAN controllers.
organisation Catalyst SD-WAN
Last month, Cisco addressed another maximum-severity flaw that was abused as a zero-day to bypass Catalyst SD-WAN authentication, allowing attackers to compromise controllers and add malicious rogue peers to targeted networks.
March 4, 2026
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 in the Cisco Secure Firewall Management Center web interface to target Ukraine.
organisation Cisco Secure Firewall Management Center
" "On March 4, 2026, Cisco issued a  security advisory  disclosing a vulnerability in the web interface of Cisco Secure Firewall Management Center Software," Cisco told BleepingComputer on Wednesday in an email statement after publishing.
tactic T1592.002 - Software
" "On March 4, 2026, Cisco issued a  security advisory  disclosing a vulnerability in the web interface of Cisco Secure Firewall Management Center Software," Cisco told BleepingComputer on Wednesday in an email statement after publishing.
organisation BleepingComputer
" "On March 4, 2026, Cisco issued a  security advisory  disclosing a vulnerability in the web interface of Cisco Secure Firewall Management Center Software," Cisco told BleepingComputer on Wednesday in an email statement after publishing.
March 4
Russian APT actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukraine via the patched vulnerability on March 4.
vulnerability CVE-2026-20131
Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.
Mar 18, 2026
Threat actors exploited a recently disclosed Zimbra XSS vulnerability CVE-2025-66376 to target Ukraine.
March 18, 12:55 EDT
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukraine.
Mar 19, 2026
Threat actors exploited a previously unknown Zero-Day Exploit (CVE-2025-66376) in Zimbra to gain unauthorized access and conduct malicious activities against Ukrainian targets.
18, 2026
Ransomware actors exploited a recently disclosed CVE-2025-66376 in Cisco Secure Firewall Management Center Software to target Ukraine.
tactic Ransomware
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
tactic T1592.002 - Software
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
attribution Network Security / Ransomware
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
attribution Amazon Threat Intelligence
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
attribution Interlock ransomware
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
attribution Cisco Secure Firewall Management Center
 Ravie Lakshmanan  Mar 18, 2026 Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
2026-03-19
Russian APT actors exploited a stored XSS vulnerability in Zimbra, CVE-2025-66376.
organisation APT
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376.
organisation Zimbra XSS
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376.
More recently, threat actors exploited another Zimbra XSS vulnerability (CVE-2025-27915) in zero-day attacks to execute arbitrary JavaScript code, enabling them to set email filters that redirect messages to attacker-controlled servers.
organisation CVE-2025-66376
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376 Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine.
The vulnerabilities in question are as follows - CVE-2025-66376 (CVSS score: 7.2) -
Below are the flaws added to the catalog: CVE-2026-20963  (CVSS score of 8.8) – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability; CVE-2025-66376 (CVSS score of 7.2) –  Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability; The first vulnerability added to the catalog, tracked as CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
organisation Zimbra Collaboration
Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration.
organisation Seqrite Labs
According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28  (aka UAC-0001, aka  Fancy Bear ,  Pawn Storm ,  Sofacy Group ,  Sednit , BlueDelta, and  STRONTIUM ), has exploited the Zimbra vulnerability in attacks against entities in Ukraine.
threat_actor APT28
According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28  (aka UAC-0001, aka  Fancy Bear ,  Pawn Storm ,  Sofacy Group ,  Sednit , BlueDelta, and  STRONTIUM ), has exploited the Zimbra vulnerability in attacks against entities in Ukraine.
organisation BlueDelta
According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28  (aka UAC-0001, aka  Fancy Bear ,  Pawn Storm ,  Sofacy Group ,  Sednit , BlueDelta, and  STRONTIUM ), has exploited the Zimbra vulnerability in attacks against entities in Ukraine.
threat_actor Winter Vivern
The Russian state-backed Winter Vivern hacking group also used reflected XSS exploits to breach the Zimbra webmail portals of NATO-aligned governments and the mailboxes of government officials, military personnel, and diplomats.
organisation State Hydrology Agency
A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate.
organisation CVE-2025
When the victim opens the email in a vulnerable Zimbra webmail session, it exploits  CVE-2025-66376  which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content.”
While Synacor (the company behind Zimbra) didn't share any details on the impact of a successful CVE-2025-66376 attack, it can likely be exploited to execute arbitrary JavaScript via malicious HTML-based emails, potentially allowing attackers to hijack user sessions and steal sensitive data within the compromised Zimbra environment.
organisation a Zimbra XSS
The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).
infrastructure Microsoft Office
Below are the flaws added to the catalog: CVE-2026-20963  (CVSS score of 8.8) – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability; CVE-2025-66376 (CVSS score of 7.2) –  Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability; The first vulnerability added to the catalog, tracked as CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
 Ravie Lakshmanan  Mar 19, 2026 Network Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint , stating they have been actively exploited in the wild.
A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network.
organisation CVSS
Below are the flaws added to the catalog: CVE-2026-20963  (CVSS score of 8.8) – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability; CVE-2025-66376 (CVSS score of 7.2) –  Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability; The first vulnerability added to the catalog, tracked as CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
organisation Microsoft Office SharePoint
Below are the flaws added to the catalog: CVE-2026-20963  (CVSS score of 8.8) – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability; CVE-2025-66376 (CVSS score of 7.2) –  Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability; The first vulnerability added to the catalog, tracked as CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network.
organisation CSS
The second flaw added to the KeV catalog, tracked as CVE-2025-66376, is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML.
Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.
The flaw is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML.
A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
organisation HTML
The second flaw added to the KeV catalog, tracked as CVE-2025-66376, is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML.
Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.
The flaw is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML.
A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
organisation KeV
The second flaw added to the KeV catalog, tracked as CVE-2025-66376, is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML.
organisation the Classic UI
Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.
A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
organisation Synacor
While Synacor (the company behind Zimbra) didn't share any details on the impact of a successful CVE-2025-66376 attack, it can likely be exploited to execute arbitrary JavaScript via malicious HTML-based emails, potentially allowing attackers to hijack user sessions and steal sensitive data within the compromised Zimbra environment.
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
infrastructure 10.1.13
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
infrastructure 10.0.18
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
organisation Operation GhostMail
Seqrite Labs tracked this campaign as Operation GhostMail.
The activity has been codenamed Operation GhostMail.
organisation ZCS
A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
organisation DNS
Then they exfiltrated stoled data via DNS and HTTPS.
The captured data is exfiltrated over both DNS and HTTPS.
organisation HTTPS
Then they exfiltrated stoled data via DNS and HTTPS.
The captured data is exfiltrated over both DNS and HTTPS.
organisation Kettering Health
Interlock has also claimed responsibility for attacks on DaVita , Kettering Health , the Texas Tech University System , and the city of Saint Paul , Minnesota.
organisation the Texas Tech University System
Interlock has also claimed responsibility for attacks on DaVita , Kettering Health , the Texas Tech University System , and the city of Saint Paul , Minnesota.
organisation Ransomware
Ransomware gang exploits Cisco flaw in zero-day attacks since January.
organisation Secure Firewall Management Center
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January.
organisation Interlock Ransomware
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access.
organisation Root Access
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access.
infrastructure Windows
The disclosure comes as Google revealed that ransomware actors are changing their tactics in response to declining payment rates, targeting vulnerabilities in common VPNs and firewalls for initial access and leaning less on external tooling and more on built-in Windows capabilities.
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
organisation Google
The disclosure comes as Google revealed that ransomware actors are changing their tactics in response to declining payment rates, targeting vulnerabilities in common VPNs and firewalls for initial access and leaning less on external tooling and more on built-in Windows capabilities.
organisation SEO
Multiple threat clusters, both ransomware operators themselves and initial access brokers, have also been found to employ malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads for initial access.
organisation Amazon
"We appreciate Amazon's partnership on this, and we have updated our security advisory with the latest information.
The discovery, Amazon said, was made possible, thanks to an operational security blunder on the part of the threat actor that exposed their cybercrime group's operational toolkit via a misconfigured infrastructure server, offering insights into its multi-stage attack chain, bespoke remote access trojans, reconnaissance scripts, and evasion techniques.
organisation Ivanti
The attack once again highlights a persistent pattern of threat actors targeting edge network devices from different vendors, including Cisco, Fortinet, Ivanti, and others, to obtain initial access to target networks.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation IBM
More recently, IBM X-Force researchers reported that Interlock operators have deployed a new malware strain dubbed Slopoly, likely created using generative AI tools.
organisation Amazon Integrated Security
Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers," CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, said in a report shared with The Hacker News.
organisation CJ Moses
Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers," CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, said in a report shared with The Hacker News.
organisation The Hacker News
Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers," CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, said in a report shared with The Hacker News.
organisation Unified Communications
For instance, in January, it fixed a maximum-severity Cisco AsyncOS zero-day that had been exploited to breach secure email appliances since November and patched a critical Unified Communications RCE that was also abused in zero-day attacks.
organisation ScreenConnect
In light of active exploitation of the flaw, users are advised to apply patches as soon as possible, conduct security assessments to identify potential compromise, review ScreenConnect deployments for unauthorized installations, and implement defense-in-depth strategies.
organisation Desktop, Documents
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
organisation Downloads
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
organisation Chrome, Edge
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
organisation RDP
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
infrastructure Linux
A Bash script for configuring Linux servers as HTTP reverse proxies to obscure the attacker's true origins.
The script delivers fail2ban , an open-source Linux intrusion prevention tool, and compiles and spawns an HAProxy instance that listens on port 80 and forwards all inbound HTTP traffic to a hard-coded target IP address.
organisation HAProxy
The script delivers fail2ban , an open-source Linux intrusion prevention tool, and compiles and spawns an HAProxy instance that listens on port 80 and forwards all inbound HTTP traffic to a hard-coded target IP address.
organisation IP
The script delivers fail2ban , an open-source Linux intrusion prevention tool, and compiles and spawns an HAProxy instance that listens on port 80 and forwards all inbound HTTP traffic to a hard-coded target IP address.
organisation ELF
Once this step is complete, the commands are sent to fetch an ELF binary from a remote server, which hosts other tools linked to Interlock.
organisation HISTFILE
Furthermore, the infrastructure laundering script runs a log erasure routine as a cron job every five minutes to aggressively delete and purge the contents of *.log files and suppress shell history by unsetting the HISTFILE variable.
organisation ConnectWise ScreenConnect
ConnectWise ScreenConnect for persistent remote access and for serving as an alternative pathway should other footholds be detected and removed.
organisation TOR
Volatility Framework , an open-source memory forensics framework The links to Interlock stem from "convergent" technical and operational indicators, including the embedded ransom note and TOR negotiation portal.
March 21, 2026
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukrainian organizations.
vulnerability CVE-2025-66376
CISA orders federal agencies to fix the vulnerability CVE-2026-20963 by March 21, 2026 and the flaw CVE-2025-66376 by April 1st, 2026.
vulnerability CVE-2026-20963
CISA orders federal agencies to fix the vulnerability CVE-2026-20963 by March 21, 2026 and the flaw CVE-2025-66376 by April 1st, 2026.
March 23, 2026
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Federal Civilian Executive Branch (FCEB) agencies.
vulnerability CVE-2025-66376
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
vulnerability CVE-2026-20963
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
attribution Federal Civilian Executive Branch
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
attribution FCEB
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
April 1st, 2026
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukrainian organizations.
vulnerability CVE-2025-66376
“ On Wednesday, the US CISA  added  the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.
CISA orders federal agencies to fix the vulnerability CVE-2026-20963 by March 21, 2026 and the flaw CVE-2025-66376 by April 1st, 2026.
target_region United States
“ On Wednesday, the US CISA  added  the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.
attribution Known Exploited
“ On Wednesday, the US CISA  added  the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.
tactic T1588.006 - Vulnerabilities
“ On Wednesday, the US CISA  added  the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.
vulnerability CVE-2026-20963
CISA orders federal agencies to fix the vulnerability CVE-2026-20963 by March 21, 2026 and the flaw CVE-2025-66376 by April 1st, 2026.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Zimbra)
April 1, 2026
Threat actors exploited a Zimbra XSS flaw CVE-2025-66376 to target Ukrainian Federal Civilian Executive Branch agencies.
vulnerability CVE-2025-66376
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
vulnerability CVE-2026-20963
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
attribution Federal Civilian Executive Branch
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
attribution FCEB
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
April 1st
The agencies were ordered to secure their servers within two weeks of the directive's issuance, as mandated by the Binding Operational Directive 22-01.
attribution the Binding Operational Directive (
agencies two weeks to secure their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Tactical Metrics
Metrics
infrastructure
​10.1.13
Software Version
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
Metrics
infrastructure
​10.0.18
Software Version
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
Metrics
infrastructure
​Microsoft Office
Affected Product
 Ravie Lakshmanan  Mar 19, 2026 Network Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint , stating they have been actively exploited in the wild.
A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network.
Below are the flaws added to the catalog: CVE-2026-20963  (CVSS score of 8.8) – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability; CVE-2025-66376 (CVSS score of 7.2) –  Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability; The first vulnerability added to the catalog, tracked as CVE-2026-20963, is a deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
Metrics
infrastructure
​10.0
Software Version
The disclosure comes as Amazon revealed that threat actors associated with Interlock ransomware have exploited a maximum-severity security flaw impacting Cisco's firewall management software (CVE-2026-20131, CVSS score: 10.0) since January 26, 2026, more than a month before it was publicly disclosed.
Metrics
infrastructure
​8.8
Software Version
(Fixed in versions 10.0.18 and 10.1.13 in November 2025 ) CVE-2026-20963 (CVSS score: 8.8) -
Metrics
infrastructure
​Ivanti
Affected Product
The attack once again highlights a persistent pattern of threat actors targeting edge network devices from different vendors, including Cisco, Fortinet, Ivanti, and others, to obtain initial access to target networks.
Metrics
infrastructure
1,000
Servers
For instance, as early as June 2022, Zimbra auth-bypass and remote code execution bugs were abused to breach more than 1,000 servers .
Metrics
infrastructure
900
Servers
Starting in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching nearly 900 servers within two months after gaining remote code execution on compromised instances.
Metrics
infrastructure
​Windows
Affected Product
The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs.
The disclosure comes as Google revealed that ransomware actors are changing their tactics in response to declining payment rates, targeting vulnerabilities in common VPNs and firewalls for initial access and leaning less on external tooling and more on built-in Windows capabilities.
Metrics
infrastructure
​Linux
Affected Product
A Bash script for configuring Linux servers as HTTP reverse proxies to obscure the attacker's true origins.
The script delivers fail2ban , an open-source Linux intrusion prevention tool, and compiles and spawns an HAProxy instance that listens on port 80 and forwards all inbound HTTP traffic to a hard-coded target IP address.
Intelligence Sources
The Hacker News 2026-03-19
Security Affairs 2026-03-18
BleepingComputer 2026-03-18
BleepingComputer 2026-03-18
The Hacker News 2026-03-18
Security Affairs 2026-03-19