CISA Flags Actively Exploited Flaws in Microsoft Partner Center and Synacor Zimbra

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two newly exploited vulnerabilities affecting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active attacks.

The Vulnerabilities

• CVE-2024-49035 (CVSS 8.7) – An improper access control flaw in Microsoft Partner Center, allowing privilege escalation. (Patched in November 2024)
• CVE-2023-34192 (CVSS 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS, enabling remote code execution via a crafted script targeting the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40)

While Microsoft previously confirmed CVE-2024-49035 had been exploited in real-world attacks, specific details on its usage remain undisclosed. No public reports have surfaced about active exploitation of CVE-2023-34192.

In response, Federal Civilian Executive Branch (FCEB) agencies must apply patches by March 18, 2025, to mitigate the risks.

This update follows CISA’s recent addition of vulnerabilities in Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to the KEV catalog, underscoring ongoing threats to enterprise systems.