CISA Orders Urgent Fix for Exploited Cisco SSRF and PTC RCE Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch a critical Cisco Unified Communications Manager Server vulnerability by Sunday, June 28. Tracked as CVE-2026-20230, the server-side request forgery (SSRF) flaw was added to CISA's Known Exploited Vulnerabilities (KEV) catalog and carries critical severity. Cisco released a patch on June 3 and warned that the bug could be exploited remotely without authentication via specially crafted HTTP requests. Threat detection startup Defused confirmed last weekend that attackers are already leveraging the flaw to write arbitrary text files to affected endpoints, though no threat actor attribution has been established. Organizations should verify their exposure by running a port scanner against Cisco UC Manager deployments to identify publicly accessible management interfaces.

CISA simultaneously added CVE-2026-12569 to its KEV catalog — a critical-severity remote code execution (RCE) vulnerability stemming from improper input validation in PTC's Windchill and FlexPLM product lifecycle management (PLM) platforms. These systems are widely used across manufacturing, engineering, retail, footwear, apparel, and consumer products industries. The flaw, exploitable through deserialization of untrusted data, affects all Windchill versions up to 11.0 and multiple branches in the 11.1, 11.2, 12.0, 12.1, and 13.0 release lines. PTC disclosed the issue on June 18 and urged customers to immediately apply remediation steps or mitigate exposure, including reviewing TLS configurations with an SSL/TLS checker to ensure secure communications with PLM endpoints.

Both vulnerabilities fall under Binding Operational Directive (BOD) 26-04, giving federal agencies until June 28 to apply patches, implement vendor-recommended mitigations, or discontinue use of the affected products. Private sector organizations are strongly encouraged to follow suit, particularly those running Cisco unified communications or PTC PLM infrastructure. Security teams should also assess externally exposed assets by performing a WHOIS lookup on associated domains to identify ownership and potential exposure surface. With active exploitation confirmed for at least one of these flaws, delayed remediation significantly increases the risk of network compromise and lateral movement.