CybersecurityVulnerability Management

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Analyst 207||Source: BleepingComputer
Technician examines server rack with laptop in a brightly-lit network operations room.

CVE-2026-20230 — a server-side request forgery (SSRF) in Cisco Unified Communications Manager Server — has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog and must be remediated by Sunday, June 28 under Binding Operational Directive 26-04.

CVE-2026-20230 and Cisco Unified Communications Manager Server

Cisco marked CVE-2026-20230 critical and released a patch on June 3. The vendor warned the flaw could be exploited remotely and without authentication via specially crafted HTTP requests. At the time of the patch, Cisco reported that a proof-of-concept exploit existed but that it had found no evidence of active exploitation.

Since the patch, threat detection startup Defused observed active exploitation “last weekend,” reporting attacks that use the vulnerability to write arbitrary text files to affected endpoints. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the vulnerability to its KEV catalog and imposing an urgent remediation deadline for federal agencies under BOD 26-04.

CVE-2026-12569, PTC Windchill and FlexPLM

CISA also added CVE-2026-12569 to the KEV catalog. The vulnerability is an improper input validation flaw that enables remote code execution (RCE) through the deserialization of untrusted data and carries a critical severity rating.

The issue affects PTC’s Windchill and FlexPLM product lifecycle management (PLM) systems — used by manufacturing, engineering, retail, footwear, apparel, and consumer products organizations. PTC disclosed CVE-2026-12569 on June 18, published a security advisory listing vulnerable versions, and urged customers to take immediate remediation steps. According to the vendor, the flaw affects all versions up to 11.0 and multiple versions of the 11.1, 11.2, 12.0, 12.1, and 13.0 release branches.

Binding Operational Directive 26-04 and the June 28 deadline

Per Binding Operational Directive (BOD) 26-04, CISA has designated remediation for both CVE-2026-20230 and CVE-2026-12569 as urgent. The agency set the same deadline for federal agencies to patch or otherwise mitigate the issues: Sunday, June 28.

Agencies and organizations bound by BOD 26-04 are instructed to either apply available security updates and vendor-recommended mitigations or stop using the affected products by that deadline.

Observed exploitation and the remaining unknowns

Defused’s observation of active exploitation against CVE-2026-20230 — specifically attacks that write arbitrary text files — marks a change from Cisco’s earlier assessment that, despite a proof-of-concept, there was no evidence of active abuse. The source material states it is currently unknown what type of threat actor is leveraging CVE-2026-20230 in attacks.

For CVE-2026-12569, PTC disclosed the vulnerability and directed customers to detailed version lists and remediation guidance; the reporting does not indicate observed exploitation in the wild at the time of disclosure.

What this means for federal agencies, PTC customers, and security teams

  • Federal agencies: Must meet the BOD 26-04 deadline of June 28 — applying Cisco’s June 3 patch for CVE-2026-20230 and PTC’s recommended mitigations or updates for CVE-2026-12569 — or stop using the affected products by that date.
  • PTC customers in manufacturing, engineering, retail, footwear, apparel, and consumer products: Should consult PTC’s advisory for the complete list of vulnerable Windchill and FlexPLM versions and take immediate remediation steps for versions up to 11.0 and multiple 11.1, 11.2, 12.0, 12.1, and 13.0 branches.
  • Security teams: Need to prioritize applying available security updates and vendor-recommended mitigations and to monitor for post-patch exploitation. The source notes a detection gap that security programs should consider — “Security teams log 54% of successful attacks and alert on just 14%” — underscoring the importance of rapid patching and active validation.

The clock is short. With a June 28 compliance deadline under BOD 26-04 and at least one of the flaws already observed being exploited to alter files, organizations running affected Cisco or PTC products face a concrete, time-bound decision: patch now, apply mitigations, or cease using the vulnerable services before Sunday. How widely the observed attacks will spread and which actors are responsible remain open questions.

Original story

CisaCiscoEmerging ThreatsPatch ManagementExploited VulnerabilitiesKnown Exploited Vulnerabilities CatalogServer-Side Request ForgeryCVE-2026-20230Binding Operational Directive 26-04Unified Communications Manager Server
Related Intelligence

Continue Reading

Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Developer workstation with laptop, terminal, and papers on a clean desk.

Amazon AI Coding Tool Exposes Cloud Credentials to Malicious Git Repos

A security vulnerability in Amazon's AI coding assistant, tracked as CVE-2026-12957, allowed malicious Git repositories to access sensitive cloud credentials, raising concerns about informed consent and user security. The flaw enabled automatic execution of commands with no user prompt required.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit, open office space or server room.

AI Agents Expose Governance Gap in Enterprise Identity Infrastructure

Traditional enterprise identity systems are struggling to keep up with the dynamic nature of AI agents, which can autonomously execute complex tasks, chain calls across multiple systems, and continuously act on inherited credentials. This has exposed a significant governance gap in current identity infrastructure.

Analyst 207
Developer works on multi-monitor Linux workstation in university setting.

Linux Kernel Flaw Exposes Local Users to Root Privilege Escalation

A newly discovered Linux Kernel flaw, CVE-2026-43503, allows local users to easily escalate their privileges to root level, putting systems at risk. This vulnerability, dubbed DirtyClone, lets attackers corrupt file-backed memory and gain unrestricted access with just a few clever steps.

Analyst 207