Warning about attacks on Cisco FMC, SharePoint and Zimbra
Cybercriminals are currently attacking vulnerabilities in Cisco FMC, SharePoint and Zimbra. Updates to close the gaps are available.
(Image: Titima Ongkantong/Shutterstock.com)
The US IT security authority CISA and Amazon are warning about cyberattacks on vulnerabilities in Cisco FMC, SharePoint, and Zimbra that they have observed. Updates are available that close the security gaps. Admins should apply them at the latest now.
The CISA has observed attacks on vulnerability in Microsoft SharePoint. The software deserializes untrusted data, allowing authenticated attackers to execute malicious code from the network (CVE-2026-20963, CVSS 9.8, risk “critical”). Microsoft closed the gap on the January patch day and on Tuesday this week increased its risk from initially CVSS 8.8 (“high”) to “critical”.
In a second warning, CISA points to ongoing attacks on Zimbra Collaboration Suite (ZCS). The attackers exploit a stored cross-site scripting vulnerability in the Classic UI, which they can misuse through the “@import” directive in HTML emails (CVE-2025-66376, CVSS 7.2, risk “high”). An update has also been available since January of this year to fix this vulnerability. Versions 10.0.18 (ZCS 10.0) and 10.1.13 (ZCS 10.1) close the gap. CISA provides no information on the nature and extent of the attacks, nor any indication of how successful attacks could be detected.
Ransomware campaign exploits Cisco FMC vulnerability
Amazon's security team, meanwhile, reports in detail on an attack wave in which malicious actors exploit a critical security vulnerability in Cisco's Secure Firewall Management Center (FMC). The vulnerability allows unauthenticated attackers from the network to execute arbitrary Java code with root privileges on vulnerable devices (CVE-2026-20131, CVSS 10, risk “critical”). Amazon's IT researchers report that attackers install ransomware from the cyber gang Interlock after successful exploitation. At the end of the analysis, Amazon provides Indicators of Compromise (IOC).
Videos by heise
Cisco announced information about the vulnerability along with software updates in early March. Amazon discovered during its investigation that the vulnerability had already been attacked since January 26, 2026 -- five weeks before Cisco made it public.
(dmk)
