CISA Adds Critical Vulnerabilities in PTC Windchill and Cisco Unified CM to Active Exploitation Catalog

The Cybersecurity and Infrastructure Security Agency of the United States included two actively exploited vulnerabilities in its Known Exploited Vulnerabilities Catalog on Thursday, June 25. One affects PTC Windchill, a product lifecycle management platform used by most aircraft and vehicle manufacturers worldwide. The other affects Cisco Unified Communications Manager, an enterprise IP telephony system operating in banks, retail networks, and healthcare operations across twenty countries.

CVE-2026-12569 received a CVSS score of 10.0, the highest on the scale. It is a remote code execution vulnerability in Windchill PDMLink caused by improper input validation and insecure data deserialization. The German BSI classified this vulnerability as critical and even contacted administrators responsible for affected systems during the night to expedite patch deployment. PTC confirmed active observation of persistent JSP webshell installations in the Windchill login directory, allowing remote execution of commands and potential data exfiltration.

CVE-2026-20230, a server-side request forgery in Cisco Unified Communications Manager and the Session Management Edition variant, received a CVSS score of 8.6 and an internal severity classification of critical by Cisco. Exploitation does not require authentication; it solely depends on the WebDialer service being enabled and allows the attacker to write files on the underlying operating system, escalating privileges to root. Cisco published an advisory on June 3. Researchers observed attempts on June 22, and multiple organizations reported widespread exploitation on June 23. Inclusion in the KEV mandates that U.S. federal civil agencies apply patches within 21 days, with a deadline of July 16.

What is Known and What is Not

None of the organizations that reported exploitation last week identified a specific victim or attributed the activities to a threat group. Horizon3.ai released a complete proof of concept for CVE-2026-20230, with a chain leading to root access, increasing the number of opportunistic attackers in the field over the next 72 hours. For PTC Windchill, there is a specific indicator to look for in the logs: POST requests to /Windchill/login/ with a custom header X-windchill-req, which is not used legitimately in the product, according to the vendor.

CISA's classification does not confirm mass compromise. It confirms that the agency has credible evidence of active exploitation by at least one actor and that the risk to the federal public sector justifies the 21-day deadline. For the private sector, the KEV does not create a direct legal obligation, but it is used by cyber insurers, SOX audits, and contracts with federal suppliers as a trigger for mandatory patching.

Where the Impact Really Falls

In the industrial sector, Windchill is the central PLM platform for automotive manufacturers like Honda, Volvo, Stellantis, and Lockheed Martin, along with aerospace supplier chains in Germany and France. A critical RCE on the PLM server exposes the complete BOM, CAD drawings, and supplier qualification data. For a CISO of an automotive manufacturer, the 21-day window is only comfortable if the environment is already on version 12.1.2 or 12.0.2 with the current patch applied, which, according to PTC, is still not the case for a significant portion of the customer base.

In the United States and the United Kingdom, where Cisco UCM dominates corporate telephony in banks, law firms, and hospitals, the SSRF opens the door to abuse of automatic dialing and potential network pivoting. Teams that had disabled the WebDialer by default, typically in PCI DSS-regulated environments, have significantly lower exposure. In India, where large UCM accounts run on BPO operations for Genpact, WNS, and EXL, the vulnerability impacts systems processing telephony for American and European consumers, creating indirect regulatory risks through contracts with end customers.

Next 72 Hours

Cisco and PTC have published patches. PTC issued a fix for Windchill versions 12.1.2 and 12.0.2. Cisco recommends upgrading to Unified CM 14SU6 or 15SU5 or disabling the WebDialer where it is not used for business purposes. As of the publication of this article, neither Cisco nor PTC had responded regarding the estimated number of servers exposed to the public internet. Shodan indicated on the morning of June 26 that there were approximately 3,400 publicly reachable Windchill instances and over 12,000 Cisco UCM servers with exposed administration panels, illustrating the real scope of remediation work in the private sector.

The next milestone will be the first attribution. If Mandiant or Microsoft Threat Intelligence attributes either of the two exploitation attempts to a state APT group, the CVSS rating will cease to be the priority axis and will shift to counting who is in the crosshairs.