U.S. CISA adds Cisco and PTC Windchill and FlexPLM flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco and PTC Windchill and FlexPLM flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco and PTC Windchill and FlexPLM flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The two flaws added to the catalog are:

• CVE-2026-12569 (CVSS score of 9.3) PTC Windchill and FlexPLM Improper Input Validation Vulnerability
• CVE-2026-20230 (CVSS score of 8.6) Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability

CVE-2026-12569 is a critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM. An attacker can exploit this vulnerability through the deserialization of untrusted data. The flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030.

CVE-2026-20230 is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM SME that allows an unauthenticated remote attacker to perform server-side request forgery (SSRF) by sending specially crafted HTTP requests to an affected device.

The issue is caused by improper input validation in specific HTTP request handling. If exploited, it can allow the attacker to interact with internal services and, in some cases, write files to the underlying operating system. Those files could later be leveraged to escalate privileges up to root.

A key condition is that the WebDialer service must be enabled for exploitation, and it is disabled by default. However, if active, the impact is severe because it can lead from SSRF to full system compromise.

Cisco warns that public PoC code is available and that successful exploitation could allow attackers to write files that may later be used to gain root privileges, even though it requires a specific service configuration to be exploitable.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to urgently fix the vulnerabilities by June 28, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)