CISA KEV Update: CVE-2025-66376 Zimbra and SharePoint Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, signaling urgent threats to enterprise infrastructure. According to The Hacker News, the update highlights active exploitation of Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. Furthermore, the agency warned of a Cisco Zero-Day being leveraged in Ransomware campaigns, emphasizing the immediate need for vulnerability management across the SOC.

Technical Analysis of CVE-2025-66376

The most prominent addition is CVE-2025-66376, a stored XSS vulnerability in Synacor Zimbra Collaboration Suite. With a CVSS score of 7.2, this flaw allows attackers to inject malicious scripts into the web-based interface of ZCS. Unlike reflected XSS, a stored XSS attack is persistent; the malicious payload is saved on the server, affecting any user who views the compromised page or email content. These TTP sets align with several MITRE ATT&CK techniques, including Exploit Public-Facing Application (T1190).

In a typical attack scenario, an unauthenticated actor sends a specially crafted email or message that contains the payload. When an administrative user or targeted employee interacts with the Zimbra interface, the script executes within their browser context. This can lead to the theft of session cookies, enabling Lateral Movement within the organization’s email environment. Organizations looking for instructions on how to detect CVE-2025-66376 exploit activity should audit ZCS access logs for unusual patterns in script injection or unauthorized session token usage.

Patching CVE-2025-66376 Zimbra Collaboration Suite

Administrators must prioritize updating ZCS to the latest versions to mitigate this risk. If patching is delayed, attackers can leverage this entry point to establish C2 communication by tricking users into executing commands or providing credentials via spoofed login overlays. Because the script resides on the server, the threat persists until the malicious data is purged and the underlying software is secured.

SharePoint Exploitation and Cisco Zero-Day

CISA also identified active exploitation targeting Microsoft Office SharePoint. While the specific CVE identifier for the SharePoint flaw was not explicitly detailed in the prompt’s source summary, such vulnerabilities often involve RCE or file upload bypasses that allow actors to compromise internal document repositories. Exploitation of SharePoint frequently serves as a bridge for deeper network penetration.

Concurrent with these warnings, Cisco hardware has been targeted via a zero-day vulnerability. This flaw is reportedly being utilized by sophisticated actors to facilitate ransomware attacks. When a zero-day is utilized for ransomware, the impact is severe because traditional EDR solutions may lack the specific signatures required to block the initial intrusion. Defenders must focus on Cisco zero-day ransomware defense by implementing network segmentation and strict egress filtering to limit the reach of an attacker once they establish a foothold. This often involves monitoring for Phishing attempts that may deliver initial access credentials for these edge devices.

Mitigation and Actionable Recommendations

To mitigate these threats, organizations should follow the CISA-mandated timelines for patching. While federal agencies have strict deadlines, the private sector should treat these as high-priority APT threats.

1. Patch Management: Apply the security updates provided by Synacor for Zimbra and Microsoft for SharePoint immediately.
2. Log Analysis: Review SIEM alerts for suspicious activities originating from Zimbra and SharePoint servers, particularly any outbound connections to unknown IP addresses.
3. Zero Trust Implementation: Adopt a Zero Trust architecture to ensure that even if a server is compromised via XSS or RCE, the attacker cannot easily move through the network.
4. Asset Inventory: Ensure all Cisco devices are identified and monitored for unusual configuration changes that might indicate zero-day exploitation.

Threat intelligence confirms that once a vulnerability is added to the KEV catalog, the volume of automated scanning and exploitation attempts increases. Proactive remediation is the only effective defense against these validated threats.