🚨 CRITICAL ALERT: Active Zero-Day Exploits
Immediate Threat Summary: Two critical vulnerabilities with CVSS scores ≥ 8.0 are actively exploited in the wild, allowing attackers to gain root access and execute remote code without authentication. Both CVE-2026-20230 and CVE-2026-12569 are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of June 25, 2026, mandating urgent patching for federal agencies and critical infrastructure by June 28, 2026[3][2].
Critical Vulnerabilities (CVSS ≥ 8.0)
- CVE-2026-20230 (CVSS: 8.6): A critical server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Session Management Edition (SME) allows unauthenticated attackers to write files to the underlying OS and escalate privileges to root via the WebDialer service[1][2]. Public proof-of-concept code is available, and active exploitation has been confirmed in the wild[2][3]. View NVD | CISA KEV
- CVE-2026-12569 (CVSS: 9.8): A catastrophic remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM (including all CPS versions) allows attackers to execute arbitrary code through the deserialization of untrusted data[1]. This flaw impacts releases prior to 11.0 M030 and is actively exploited[1]. View NVD | CISA KEV
âš¡ Immediate Actions Required
1. Patch Immediately: Apply vendor updates for Cisco Unified CM to release 14SU6 or 15SU5, and for PTC Windchill/FlexPLM to the latest version post-11.0 M030[3][4]. Federal agencies must comply with the CISA KEV deadline of June 28, 2026[3].
2. Mitigate WebDialer Exposure (Cisco): If patching is not immediately feasible, disable the WebDialer service immediately, as it is disabled by default and must be active for this exploit to succeed[2][5]. Navigate to Cisco Unified Serviceability → CTI Services and uncheck „Cisco WebDialer Web Service“ to block incoming attacks[5].
3. Monitor and Audit: Review system logs for indicators of SSRF attempts, unexpected file creation, or unauthorized configuration changes on Cisco devices, and monitor Windchill/FlexPLM for deserialization anomalies[4].
4. Restrict Access: Restrict network access to management interfaces and services where operationally feasible to limit the attack surface for these remote exploits[4].