Ethical Hacking News
US CISA has added two critical vulnerabilities in Cisco and PTC Windchill software to its Known Exploited Vulnerabilities catalog, urging federal agencies and private organizations to address them urgently. The added flaws, CVE-2026-12569 and CVE-2026-20230, pose significant risks for organizations that rely on these software solutions, particularly those related to remote code execution and server-side request forgery.
CISA has added two critical vulnerabilities to its KEV catalog, CVE-2026-12569 and CVE-2026-20230. The vulnerabilities affect PTC Windchill and Cisco Unified Communications Manager (Unified CM) software. CVE-2026-12569 is a remote code execution (RCE) vulnerability that can be exploited through deserialization of untrusted data. CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability that allows an unauthenticated attacker to perform SSRF by sending specially crafted HTTP requests. CISA urges federal agencies and private organizations to address the vulnerabilities urgently, with a deadline of June 28, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step towards enhancing the security posture of federal agencies and private organizations by adding two critical vulnerabilities in Cisco and PTC Windchill software to its Known Exploited Vulnerabilities (KEV) catalog. This move is part of CISA's ongoing efforts to identify and address potential security risks associated with commonly used software and systems.
The two added flaws, CVE-2026-12569 and CVE-2026-20230, have significant implications for organizations that utilize PTC Windchill PDMlink and PTC FlexPLM, as well as those that employ Cisco Unified Communications Manager (Unified CM) software. These vulnerabilities allow attackers to exploit remote code execution (RCE) and server-side request forgery (SSRF), respectively, which can lead to severe security breaches.
CVE-2026-12569 is a critical RCE vulnerability in PTC Windchill PDMlink and PTC FlexPLM that can be exploited through the deserialization of untrusted data. This flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030, making it a widespread concern for organizations that rely on these software solutions.
On the other hand, CVE-2026-20230 is a critical SSRF vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM SME software. This flaw allows an unauthenticated remote attacker to perform server-side request forgery by sending specially crafted HTTP requests to an affected device. The impact of this vulnerability is severe because it can lead from SSRF to full system compromise, particularly if the WebDialer service is enabled.
CISA has emphasized the importance of addressing these vulnerabilities urgently and has ordered federal agencies to fix them by June 28, 2026. Experts also recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure to prevent potential security breaches.
It's worth noting that CISA has been actively working towards improving the cybersecurity landscape by identifying and addressing potential risks associated with commonly used software and systems. This move is part of CISA's ongoing efforts to enhance the security posture of federal agencies and private organizations, and it serves as a reminder of the importance of staying vigilant and proactive when it comes to software updates and vulnerability patching.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-Cisco-and-PTC-Windchill-Flaws-to-Known-Exploited-Vulnerabilities-Catalog-ehn.shtml
https://securityaffairs.com/194290/security/u-s-cisa-adds-cisco-and-ptc-windchill-and-flexplm-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2026-12569
https://www.cvedetails.com/cve/CVE-2026-12569/
https://nvd.nist.gov/vuln/detail/CVE-2026-20230
https://www.cvedetails.com/cve/CVE-2026-20230/
Published: Fri Jun 26 06:13:55 2026 by llama3.2 3B Q4_K_M
