The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has given federal businesses till Sunday to patch an actively exploited vulnerability in Cisco Unified Communications Supervisor servers.
The safety problem, recognized as CVE-2026-20230, is server-side request forgery (SSRF) and has been added to the company’s catalog of recognized exploited vulnerabilities (KEV).
In accordance with Binding Operational Order (BOD) 26-04, remediation is taken into account an emergency and should be addressed by Sunday, June twenty eighth.
Cisco marked CVE-2026-20230 as vital and launched a patch on June 3, warning that it might be exploited remotely with out authentication by way of a specifically crafted HTTP request.
On the time, the corporate famous {that a} proof-of-concept exploit existed, however no proof of an energetic exploit was discovered.
Over the weekend, menace detection startup Defused noticed this vulnerability being exploited in assaults to put in writing arbitrary textual content information to affected endpoints.
It’s at present unknown what kinds of attackers are exploiting CVE-2026-20230 in assaults.
Vital defects in PLM merchandise
CISA additionally added CVE-2026-12569, an improper enter validation flaw affecting PTC Windchill and FlexPLM software program merchandise, to the KEV catalog.
Each are product lifecycle administration (PLM) methods developed by PTC for the manufacturing, engineering, retail, footwear, attire, and shopper merchandise industries.
CVE-2026-12569 is a vital severity distant code execution (RCE) vulnerability that may be exploited by deserialization of untrusted knowledge.
PTC disclosed this problem on June 18th and issued a safety advisory, offering clients with an entire checklist of weak Windchill and FlexPLM variations and urging them to take instant remediation actions.
In response to the seller, this flaw impacts all variations as much as 11.0 and a number of variations of the 11.1, 11.2, 12.0, 12.1, and 13.0 launch branches.
CISA has set a June 28 deadline for federal businesses to patch CVE-2026-12569.
Authorities businesses and organizations certain by BOD 26-04 should take instant steps to guard their methods by making use of accessible safety updates and vendor-recommended mitigations, or discontinue use of the listed merchandise by established deadlines.
Safety groups doc 54% of profitable assaults and problem a warning on solely 14%. The remaining strikes invisibly by the setting.
Picus’ whitepaper reveals methods to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
