CISA Flags Critical Vulnerabilities in Microsoft Partner Center and Synacor Zimbra Collaboration Suite

 

Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified and added two critical security vulnerabilities affecting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog. This action is based on evidence of active exploitation, underscoring the urgent need for mitigation measures to protect affected systems.

Identified Vulnerabilities
The vulnerabilities in question present significant security risks:

• CVE-2024-49035 (CVSS Score: 8.7) – This improper access control vulnerability in Microsoft Partner Center enables attackers to escalate privileges. Microsoft has addressed this issue in its November 2024 security update.

• CVE-2023-34192 (CVSS Score: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that permits a remote authenticated attacker to execute arbitrary code by injecting a crafted script into the /h/autoSaveDraft function. This issue was resolved in July 2023 with the release of version 8.8.15 Patch 40.

Security Implications and Response
Microsoft has confirmed that CVE-2024-49035 has been actively exploited but has not provided further insights into its real-world attack methodologies. Meanwhile, there are currently no publicly documented cases of CVE-2023-34192 being exploited in the wild.

To mitigate these security threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary updates by March 18, 2025. This directive aims to fortify their networks against potential cyber threats that could arise from these vulnerabilities.

Broader Context
The addition of these vulnerabilities to the KEV catalog follows a similar move by CISA, which recently flagged security flaws in Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) due to their active exploitation. This highlights the ongoing and evolving nature of cybersecurity threats, emphasizing the necessity of proactive security measures and timely updates.

Conclusion
CISA's continued efforts to identify and address exploited vulnerabilities demonstrate the agency’s commitment to national cybersecurity. Organizations utilizing Microsoft Partner Center and Synacor ZCS must take immediate action to apply the necessary patches and protect their infrastructure from potential cyberattacks. Staying vigilant and adhering to security best practices remains crucial in mitigating risks associated with exploited vulnerabilities.