The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate attention from federal agencies.

The vulnerabilities include:

– **CVE-2024-49035** (CVSS 8.7): A privilege escalation flaw in Microsoft Partner Center caused by improper access control. Microsoft patched this vulnerability in November 2024 and previously confirmed it was being exploited in the wild, though specific attack details remain undisclosed.

– **CVE-2023-34192** (CVSS 9.0): A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite that allows authenticated attackers to execute arbitrary code through the `/h/autoSaveDraft` function. This issue was fixed in July 2023 with version 8.8.15 Patch 40, though no public reports of exploitation have emerged.

Federal Civilian Executive Branch agencies must apply the necessary security updates by March 18, 2025. This announcement follows CISA’s recent addition of Adobe ColdFusion and Oracle Agile Product Lifecycle Management vulnerabilities to the KEV catalog.