CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

CISA added the stored cross-site scripting (XSS) vulnerability CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026. The flaw, patched in early November 2025, allows unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft in compromised Zimbra environments. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Russian state-sponsored threat group APT28 (Fancy Bear, Strontium), linked to Russia's military intelligence service (GRU), is actively exploiting CVE-2025-66376 in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency, as part of a phishing campaign codenamed Operation GhostMail. The attack chain relies on malicious HTML email bodies with obfuscated JavaScript payloads that execute silently in vulnerable Zimbra webmail sessions to harvest credentials, session tokens, 2FA codes, saved passwords, and mailbox contents dating back 90 days, with data exfiltrated over DNS and HTTPS. This exploitation follows prior Russian campaigns against Zimbra infrastructure, including operations by Winter Vivern (since February 2023) and APT29 (Cozy Bear, Midnight Blizzard) in October 2024.

Timeline

  1. 23.01.2026 17:24 4 articles · 1mo ago

    CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

    CISA added CVE-2025-66376 to its KEV catalog on March 18, 2026, designating it as a stored XSS flaw in Zimbra Collaboration Suite (ZCS) Classic UI allowing remote unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft. The vulnerability, patched in early November 2025, is being actively exploited in the wild by Russian state-sponsored actors such as APT28 (Fancy Bear) in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Exploitation involves silent JavaScript payloads in email bodies that harvest credentials, tokens, and mailbox contents, with data exfiltrated over DNS and HTTPS.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. The attack chain includes post-exploitation tooling such as custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are being leveraged for ransomware operations and secondary monetization.

Open in new tab

Two Actively Exploited Roundcube Vulnerabilities Added to CISA KEV Catalog

CISA added two vulnerabilities in Roundcube webmail software to its KEV catalog, citing active exploitation. CVE-2025-49113 (CVSS 9.9) allows remote code execution via untrusted data deserialization, while CVE-2025-68461 (CVSS 7.2) is a cross-site scripting flaw. Both vulnerabilities were patched in 2025, but exploits have been developed and sold. The flaws have been linked to nation-state actors in the past. FCEB agencies must remediate by March 13, 2026. Over 84,000 vulnerable Roundcube webmail installations were identified shortly after the patch for CVE-2025-49113 was released, and CVE-2025-68461 can be exploited through low-complexity XSS attacks abusing the animate tag in SVG documents.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

Microsoft January 2026 Patch Tuesday Addresses 3 Zero-Days, 114 Flaws

Microsoft's January 2026 Patch Tuesday addressed 114 vulnerabilities, including three zero-days: one actively exploited (CVE-2026-20805) and two publicly disclosed (CVE-2026-21265 and CVE-2023-31096). The updates covered a range of flaw types, with eight classified as 'Critical,' including remote code execution and elevation-of-privilege vulnerabilities. Additionally, Microsoft released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability (CVE-2026-21509) exploited in attacks, affecting multiple Office versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 and CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026, and February 16, 2026, respectively. The flaw was discovered by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, and affects several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab