Overview
CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with three new entries this week, spanning enterprise collaboration, file transfer infrastructure, and email collaboration platforms. The additions — affecting Microsoft SharePoint, Wing FTP Server, and Synacor Zimbra Collaboration Suite (ZCS) — confirm active in-the-wild exploitation and trigger mandatory remediation timelines under Binding Operational Directive (BOD) 22-01 for FCEB agencies.
CVE-2026-20963 — Microsoft SharePoint: Deserialization of Untrusted Data
Added to KEV: March 18, 2026
Remediation Deadline (FCEB): March 21, 2026
CWE: CWE-502 — Deserialization of Untrusted Data
Ransomware Association: Unknown
Technical Details:
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.
This is a pre-authentication or low-authentication-barrier code execution pathway — the attacker does not need to be an authenticated user with privileged access. Deserialization flaws in SharePoint typically exploit how the platform processes serialized objects within web parts, document libraries, or request pipelines. When a malicious serialized payload is submitted and processed by SharePoint, it triggers unintended code execution within the application context.
Similar SharePoint deserialization flaws have historically scored between 8.0 and 9.8 (Critical) on the CVSS scale, reflecting the high impact of arbitrary code execution in enterprise environments.
Why This Matters:
SharePoint is deeply embedded in enterprise environments as a collaboration backbone — it is one of the most widely deployed Microsoft products globally. A code execution flaw exploitable over a network against an unauthenticated or low-privileged attacker position makes this an exceptionally attractive target for initial access brokers and ransomware affiliates. The extraordinarily tight remediation deadline of just three days (March 18 to March 21) signals CISA assesses this as an imminent, ongoing threat.
Recommended Actions:
- Apply Microsoft’s March 2026 Patch Tuesday security updates immediately
- Review SharePoint server logs for anomalous authentication attempts, unexpected file uploads, and unusual administrative activity
- Restrict network-level access to SharePoint from untrusted sources where operationally feasible
- Audit SharePoint configurations for web parts and document library endpoints that process external input
CVE-2025-47813 — Wing FTP Server: Information Disclosure via Error Message Leakage
Added to KEV: March 16, 2026
Remediation Deadline (FCEB): March 30, 2026
CVSS Score: 4.3 (Medium)
CWE: CWE-209 — Generation of Error Message Containing Sensitive Information
Affected Versions: All versions prior to and including 7.4.3
Technical Details:
The vulnerability exists when using a long value in the UID cookie in Wing FTP Server. The shortcoming affects all versions prior to and including version 7.4.3 and was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens.
The security defect impacted Wing FTP’s loginok.html endpoint, which failed to properly validate the UID cookie. An attacker could obtain the full installation path by supplying an overlong value. According to the researcher, if a value longer than the maximum path size of the underlying operating system is supplied, an error message is triggered which discloses the full local server path.
The Critical Chain — CVE-2025-47812 (CVSS 10.0):
This medium-severity flaw is deceptive in isolation. Attackers could leverage the application’s local server path to exploit CVE-2025-47812, a critical-severity flaw that leads to remote code execution — also patched in Wing FTP Server version 7.4.4. CVE-2025-47812 was added to CISA’s KEV list in July 2025 after Censys identified roughly 5,000 internet-accessible servers likely susceptible to exploitation.
The practical attack chain becomes: information disclosure (CVE-2025-47813) → path enumeration → RCE trigger (CVE-2025-47812). This is a two-stage exploitation pattern common in file transfer server targeting — the kind of chaining that makes medium-CVSS vulnerabilities disproportionately dangerous in real-world attack scenarios.
Why This Matters:
File transfer servers occupy a uniquely dangerous position in the network topology: they are internet-facing, process high-sensitivity data flows, and are typically trusted by internal systems. Information disclosure flaws are highly prized by threat actors during the initial reconnaissance phases of a cyberattack. By forcing the file transfer server to leak sensitive operational data, attackers can accurately map out the target environment, identify backend software versions, and uncover potential pathways for deeper system penetration.
Wing FTP joins a pattern of managed file transfer (MFT) products — MOVEit, GoAnywhere, Cleo — that have become priority targets for ransomware and data exfiltration operations over the past two years. CVSS scores alone do not tell the operational story.
Recommended Actions:
- Upgrade Wing FTP Server to version 7.4.4 or later immediately
- If patching is not immediately feasible, organizations must temporarily discontinue use of the affected product until proper mitigations can be deployed
- Audit Wing FTP Server access logs for abnormal UID cookie submissions and oversized input patterns
- Treat CVE-2025-47813 and CVE-2025-47812 as a combined remediation priority
CVE-2025-66376 — Synacor Zimbra Collaboration Suite (ZCS): Stored Cross-Site Scripting
Added to KEV: March 18, 2026
Remediation Deadline (FCEB): April 1, 2026
CWE: CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS)
Technical Details:
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.
This is a stored XSS variant, meaning the malicious payload is persisted server-side — in this case, embedded within an email message body that leverages CSS @import directives to execute injected scripts when the email is rendered in the ZCS Classic UI. The attack surface is the email delivery mechanism itself, making this particularly dangerous in environments where Zimbra is used for high-privilege communications.
Why This Matters:
Zimbra has been a consistent target for nation-state threat actors — particularly APT groups with intelligence collection mandates. XSS flaws in webmail platforms are valuable because they enable session token theft, credential harvesting, and browser-based pivot operations without requiring network-level access. A targeted spear-phishing email carrying a CSS @import payload can silently execute within the victim’s authenticated session context when they open the message.
This vulnerability class is particularly relevant in Zimbra because of the platform’s widespread deployment across government, military, academic, and critical infrastructure entities in the EMEA and APAC regions — environments that have historically been targeted in Zimbra-specific campaigns by Chinese and Russian-nexus threat groups.
Recommended Actions:
- Apply the Zimbra vendor patch immediately
- Disable the Classic UI if not operationally required; migrate users to the modern UI which may not share the same vulnerable rendering path
- Implement email filtering rules to strip or sanitize CSS content in email HTML bodies at the gateway level
- Monitor webmail access logs for unusual session activity following email opens
Strategic Observations
On KEV as a Signal, Not a Noise Filter:
All three additions this week reflect a consistent targeting philosophy among active threat actors — enterprise collaboration (SharePoint), file movement infrastructure (Wing FTP), and email platforms (Zimbra). These are the three primary data aggregation and communication layers in any enterprise. Attackers are not chasing exotic vulnerabilities; they are methodically targeting the platforms where the most sensitive data flows.
On the Wing FTP CVSS Trap:
The Wing FTP addition is a textbook reminder of why CVSS scores are insufficient for prioritization. A CVSS 4.3 vulnerability added to KEV — because it is actively exploited as a stepping stone to a CVSS 10.0 RCE — should be treated as critical by any mature vulnerability management program. Organizations that filtered out this CVE based on score alone are now facing confirmed in-the-wild exploitation.
On BOD 22-01 Compliance Timelines:
The SharePoint three-day remediation window is extraordinary. CISA’s standard BOD 22-01 window is typically 15 days for critical vulnerabilities, and the March 18→21 window compresses this to near-emergency response timelines. Security and IT operations teams should treat this as a P1 incident-level response, not a standard patch cycle item.
All three CVEs are now confirmed exploited in the wild. Organizations running these platforms should treat KEV inclusion as an incident trigger — not a patch-cycle reminder.
