CISA gives feds until Sunday to patch exploited Cisco and PTC flaws

CISA has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate them by June 28 under Binding Operational Directive 26-04.

CISA sets June 28 deadline for Cisco Unified Communications Manager Server flaw. The agency requires federal agencies to patch CVE-2026-20230, a server-side request forgery vulnerability, by Sunday. Cisco released the patch on June 3 and rated the issue critical, warning it can be exploited remotely without authentication through specially crafted HTTP requests. At the time of disclosure, Cisco noted a proof-of-concept existed but reported no active exploitation.

Last weekend, threat detection startup Defused observed the vulnerability being used in attacks to write arbitrary text files to affected endpoints. It remains unknown what type of threat actor is leveraging CVE-2026-20230.

PTC Windchill and FlexPLM vulnerability also added to KEV catalog. CISA added CVE-2026-12569, an improper input validation flaw that enables remote code execution through deserialization of untrusted data. The vulnerability affects PTC's product lifecycle management systems used in manufacturing, engineering, retail, footwear, apparel, and consumer products industries. According to The Hacker News, this marks the first PTC vulnerability in the KEV catalog and carries a CVSS score of 9.3.

PTC disclosed the flaw on June 18 and published a security advisory listing vulnerable versions up to 11.0 and multiple branches of 11.1 through 13.0. SecurityWeek reports this is the first confirmed real-world exploitation of the PTC Windchill and FlexPLM products, with continued activity noted as of June 25. PTC confirmed deployment of JSP web shells and released indicators of compromise including specific IP addresses, web shell naming patterns, and file hashes.

Agencies must apply updates or discontinue product use by deadline. Both vulnerabilities were added to the KEV catalog on June 25 with the identical remediation deadline. CISA guidance directs agencies bound by BOD 26-04 to apply available security updates, implement vendor-recommended mitigations, or stop using the affected products. The directive emphasizes immediate action to secure systems against active exploitation.

SecurityWeek notes the PTC flaw carries potential supply chain impact across auto, aerospace, and defense sectors. CISA's official confirmation lists both the Cisco SSRF and PTC improper input validation issues explicitly. Agencies are also advised to conduct forensics triage where appropriate.