Critical zero-day vulnerabilities in the Microsoft Partner Center website and Synacor Zimbra Collaboration Suite (ZCS) were added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) Tuesday.The Microsoft Partner Center vulnerability tracked as CVE-2024-49035 can enable privilege escalation by an unauthenticated attacker, while the Synacor ZCS flaw tracked as CVE-2023-34192 allows for cross site scripting (XSS) by a remote authenticated attacker.CVE-2024-49035 was first disclosed in November 2024 and assigned a high CVSS 3 score of 8.7 by Microsoft, but was later scored a critical 9.8 by the National Institute of Standards and Technology (NIST) in January 2025. The Synacor flaw CVE-2023-34192 received a CVSS 3 score of 9.0 from both CISA and NIST and was first disclosed in July 2023.The Microsoft Partner Center website, at Partner.Microsoft.com, serves as a platform for those who work with Microsoft to manage their relationship with Microsoft, customers and other partners and streamline business processes including billing and payment. As of 2022, more than 400,000 organizations were part of the Microsoft Partner Network.According to Microsoft’s advisory for CVE-2024-49035, no customer action is needed to resolve the improper access control flaw, as it was fixed via an automatic update to the online version of Microsoft Power Apps. Although the flaw was added to the KEV catalog this week, Microsoft noted that exploitation was detected in its original November advisory.Synacor’s ZCS is a suite of business collaboration tools including email, calendar and contact sharing, as well as chat and video features. According to Synacor, its Zimbra email and collaboration tools are used by “100s of Millions.”CVE-2023-37580 affects ZCS version 8.8.15 and has reportedly been actively targeted by threat actors since November 2023. The Zimbra security advisory for the flaw, published July 13, 2023, also noted active exploitation of the flaw and urged customers to apply a manual fix with provided instructions ahead of the patch, which was ultimately released July 26, 2023, in version 8.8.15 Patch 41.The Zimbra vulnerability could be exploited through a crafted script to the /h/autoSaveDraft function and was resolved by adding input sanitization to prevent arbitrary code execution and XSS.Another critical flaw in ZCS, tracked as CVE-2024-45519, came under active attack in October 2024, with threat actors sending spam emails that would run malicious script on the Zimbra server upon opening. The flaw has a maximum CVSS score of 10 and was added to the KEV catalog on Oct. 3, 2024.CISA’s advisory Tuesday also encouraged users and administrators to review a recent threat brief by Palo Alto Networks about the chained exploitation of PAN-OS flaws CVE-2024-0012 and CVE-2024-9474 in campaigns dubbed “Operation Lunar Peak.”Palo Alto Networks noted exploitation has been ongoing since about Nov. 18, 2024, and has been used to deliver a range of different payloads including web shells, open-source command and control (C2) tools and crypto miners. Both CVE-2024-0012 and CVE-2024-9474 were previously added to the KEV catalog in November 2024.