(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – March 19, 2026
Created: Thursday, March 19, 2026 - 15:10
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability
CVSS v3.1: 10.0
CVE: CVE-2026-20131
Description: A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced. CISA has added this vulnerability to its KEV catalog.
Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
ScreenConnect Instance Level Cryptographic Material Exposure
CVSS v3.1: 9.0
CVE: CVE-2026-3564
Description: A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Source: https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
CVSS v3.1: 8.8
CVE: CVE-2026-20963
Description: Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. CISA has added this vulnerability to its KEV catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
CVSS v3.1: 7.2
CVE: CVE-2025-66376
Description: Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. CISA has added this vulnerability to its KEV catalog.
Source: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Wing FTP Server Information Disclosure Vulnerability
CVSS 3.1: 4.3
CVE: CVE-2025-47813
Description: loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. CISA has added this vulnerability to its KEV catalog.
Source: https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/