Back to Intelligence

CVE-2026-20230 & CVE-2026-12569: CISA KEV Alert on Cisco CUCM and PTC Windchill Active Exploitation

SA
Security Arsenal Team
June 25, 2026
6 min read

CISA has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. For federal agencies under Binding Operational Directive (BOD) 26-04—and for private sector organizations relying on these platforms—this is a signal to prioritize remediation immediately.

The vulnerabilities affect PTC Windchill/FlexPLM (CVE-2026-12569) and Cisco Unified Communications Manager (CUCM) (CVE-2026-20230). Both are high-value targets: Windchill manages critical intellectual property and product lifecycle data, while CUCM is the backbone of enterprise voice communications.

Introduction

The addition of CVE-2026-12569 and CVE-2026-20230 to the KEV catalog is not a theoretical warning; it is confirmation that adversaries are actively scanning and exploiting these flaws. CISA's BOD 26-04 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by the due date to protect the federal enterprise. However, the risk extends far beyond the government. Manufacturing firms utilizing PTC software and organizations running Cisco voice infrastructures are currently in the crosshairs.

Failure to patch these specific issues opens the door to unauthorized access, data exfiltration, and potential operational disruption.

Technical Analysis

CVE-2026-12569: PTC Windchill and FlexPLM

  • Vulnerability Type: Improper Input Validation
  • Affected Products: PTC Windchill and FlexPLM
  • Impact: Improper input validation flaws in enterprise applications are frequently used to bypass authentication or inject malicious payloads. Given Windchill's role in managing sensitive CAD/PLM data, successful exploitation could lead to intellectual property theft or ransomware deployment within the manufacturing network segment.
  • Status: Active Exploitation Confirmed.

CVE-2026-20230: Cisco Unified Communications Manager (CUCM)

  • Vulnerability Type: Server-Side Request Forgery (SSRF)
  • Affected Products: Cisco Unified Communications Manager (CUCM)
  • Impact: SSRF vulnerabilities in critical infrastructure servers like CUCM allow attackers to force the server to make requests to internal resources. This can be used to scan internal networks, access cloud metadata services (if applicable in hybrid environments), or interact with internal APIs that are not directly exposed to the internet.
  • Status: Active Exploitation Confirmed.

Detection & Response

Because these CVEs involve web application logic (Input Validation and SSRF), detection relies heavily on identifying the behavioral consequences of exploitation rather than just a simple signature. For PTC, we look for the web server spawning unauthorized system processes. For Cisco CUCM, we hunt for the application server initiating outbound connections to unusual internal destinations.

SIGMA Rules

YAML
---
title: Potential PTC Windchill Exploitation via Web Shell Activity
id: 9a8f7e6d-5c4b-3a2b-1c9d-0e8f7a6b5c4d
status: experimental
description: Detects potential exploitation of CVE-2026-12569 by identifying the PTC Windchill (typically Java/Tomcat) process spawning cmd.exe or powershell.exe on Windows.
references:
  - https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2026-12569
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - 'java.exe'
      - 'tomcat'
    ParentImage|contains:
      - 'Windchill'
      - 'FlexPLM'
  filter_legit:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection and filter_legit
falsepositives:
  - Legitimate administrative troubleshooting by PLM administrators (rare)
level: high
---
title: Cisco CUCM SSRF Anomaly - Outbound Connection to Non-Standard Ports
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects potential SSRF exploitation (CVE-2026-20230) by identifying the CUCM server initiating outbound connections to non-standard internal ports or metadata services.
references:
  - https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.exfiltration
  - attack.t1071.001
  - cve-2026-20230
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    Image|contains:
      - 'java'
      - 'Cisco'
    DestinationPort:
      - 80
      - 8080
      - 8000
      - 443
      - 8443
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '127.'
      - '169.254.' # Cloud metadata
  condition: selection
falsepositives:
  - Legitimate internal API calls from CUCM to other cluster nodes or database servers (verify DestinationIp)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for PTC Windchill exploitation: Java spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "tomcat.exe") 
| where InitiatingProcessFolderPath contains @"Windchill" or InitiatingProcessFolderPath contains @"FlexPLM"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, CommandLine, AccountName
;
// Hunt for Cisco CUCM SSRF: Outbound connections to internal ranges
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where DeviceName contains @"CUCM" or InitiatingProcessFileName =~ "java"
| where RemotePort in (80, 443, 8080, 8443, 8000)
| where ipv4_is_in_range(RemoteIP, "10.0.0.0/8") 
   or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") 
   or ipv4_is_in_range(RemoteIP, "172.16.0.0/12")
   or ipv4_is_in_range(RemoteIP, "169.254.0.0/16")
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PTC Windchill processes spawning suspicious children on Linux endpoints
SELECT Parent.ProcessName AS ParentName, Parent.CommandLine AS ParentCmd,
       Process.Name, Process.CommandLine, Process.Pid
FROM pslist()
LEFT JOIN pslist() AS Parent ON Process.Ppid = Parent.Pid
WHERE ParentName =~ "java"
  AND (ParentCmd =~ "Windchill" OR ParentCmd =~ "FlexPLM")
  AND Process.Name IN ("/bin/sh", "/bin/bash", "nc", "curl", "wget")

Remediation Script

PowerShell
# PowerShell Script: Check for PTC Windchill Service Status and Suggest Review
Write-Host "Checking for PTC Windchill Services..." -ForegroundColor Cyan
$services = Get-WmiObject -Class Win32_Service | Where-Object { $_.Name -like "*Windchill*" -or $_.PathName -like "*Windchill*" -or $_.PathName -like "*FlexPLM*" }

if ($services) {
    foreach ($svc in $services) {
        Write-Host "[+] Found Service: $($svc.Name) - State: $($svc.State)" -ForegroundColor Yellow
        Write-Host "    Path: $($svc.PathName)"
    }
    Write-Host "ACTION REQUIRED: Review the installed Windchill/FlexPLM version against PTC Security Advisory for CVE-2026-12569." -ForegroundColor Red
} else {
    Write-Host "No PTC Windchill services found via WMI." -ForegroundColor Green
}
Bash / Shell
#!/bin/bash
# Bash Script: Check Cisco CUCM for active Java processes (Service health check)
echo "Checking for Cisco CUCM Process Activity..."
# CUCM typically runs specific Java processes. This checks for Java making outbound connections (SSRF Indication)
netstat -antp 2>/dev/null | grep java | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u > /tmp/cucm_outbound.txt

echo "Outbound connections from CUCM Java processes:"
cat /tmp/cucm_outbound.txt

echo "ACTION REQUIRED: Review Cisco Advisory for CVE-2026-20230 and apply patches immediately."

Remediation

Immediate Actions:

  1. Patch Management:

    • PTC Users: Review the PTC Security Advisory for CVE-2026-12569. Apply the latest security patches for Windchill and FlexPLM immediately.
    • Cisco Users: Review the Cisco Security Advisory for CVE-2026-20230. Upgrade to a fixed release of Cisco Unified Communications Manager (CUCM) as specified in the advisory.

  2. Network Segmentation (Workaround):

    • CUCM (SSRF): Restrict outbound internet access from the CUCM server. If internet access is not required for the VoIP function, block it at the firewall. If internal access is needed, strictly limit destinations to known SIP trunks or call manager peers to mitigate the impact of SSRF.
    • Windchill: Ensure the application is not directly exposed to the public internet. Place it behind a WAF with strict input validation rules enabled.

  3. CISA BOD 26-04 Compliance:

    • Federal agencies must complete remediation by the deadline specified in the CISA KEV entry.
    • Document the patch verification and report completion to the agency CISO office.

Vendor Resources:

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevcisco-cucmptc-windchill

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action