CISA Adds PTC Windchill and Cisco Unified CM Flaws to KEV Catalog, Citing Active Exploitation
CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-12569 in PTC Windchill and FlexPLM and CVE-2026-20230 in Cisco Unified Communications Manager, both actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with two new entries, flagging active exploitation of a pair of flaws affecting widely deployed industrial and enterprise systems. The vulnerabilities — CVE-2026-12569 in PTC Windchill and FlexPLM, and CVE-2026-20230 in Cisco Unified Communications Manager — are now formally listed under Binding Operational Directive 26-04, requiring federal civilian agencies to prioritize their remediation.
CVE-2026-12569 is an improper input validation vulnerability in PTC's Windchill product lifecycle management platform and FlexPLM, its retail-specific variant. While technical specifics remain under embargo pending full vendor disclosure, the advisory notes that exploitation could allow an attacker to execute arbitrary code or cause a denial-of-service condition. Both products are widely used in manufacturing, aerospace, and retail supply chains, making them attractive targets for cyber espionage or ransomware operations.
The second addition, CVE-2026-20230, is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM). This flaw was originally disclosed by Cisco in early June 2026, with the company confirming that it was being exploited in the wild and releasing hotfixes. SSRF vulnerabilities allow an attacker to coerce a server into making requests to internal systems, potentially bypassing firewalls and accessing sensitive data or internal services. In the context of Unified CM — a core voice and video communications hub for large enterprises — the impact could be significant, enabling lateral movement and deeper network compromise.
CISA's directive under BOD 26-04 mandates that FCEB agencies remediate these vulnerabilities by a strict deadline, typically within days of KEV addition. The directive also requires agencies to check for signs of compromise on affected systems before applying patches. While the directive applies only to federal agencies, CISA strongly urges all organizations — particularly those in critical infrastructure, manufacturing, and communications sectors — to prioritize patching and to assume that exploitation is ongoing.
The addition of CVE-2026-20230 to the KEV catalog reinforces the urgency of Cisco's June advisory. Although Cisco has released patches, SSRF vulnerabilities can sometimes be exploited even after mitigation if the underlying network architecture remains misconfigured. Organizations are advised to review their firewall rules, restrict outbound requests from Unified CM servers, and segment communications management systems from the rest of the corporate network.
CVE-2026-12569 is particularly concerning for the industrial sector. Windchill is a backbone for product data management across many manufacturers, and FlexPLM is a staple in retail supply chains. An unpatched flaw in these systems could expose proprietary designs, intellectual property, and logistics data. PTC has not yet released a public advisory detailing exploitation specifics, but CISA's KEV inclusion confirms that attackers are actively leveraging the bug in the wild.
CISA maintains an open nomination process for organizations to submit additional CVEs for KEV consideration, provided each submission includes evidence of active exploitation and clear mitigation guidance. The agency continues to emphasize that the KEV catalog is a dynamic tool designed to cut through the noise of thousands of CVE disclosures and focus defender resources on vulnerabilities that pose immediate, real-world risk.
As the KEV catalog grows — now regularly including multiple entries per week — security teams face mounting pressure to triage patches efficiently. The addition of CVE-2026-12569 and CVE-2026-20230 underscores how quickly active exploitation can move across both IT and OT environments, and why adherence to BOD 26-04's risk-based prioritization framework is critical for staying ahead of attackers.