The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch Cisco CVE-2026-20230 after confirming that attackers are actively exploiting the vulnerability.

CISA added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and instructed agencies covered by Binding Operational Directive (BOD) 26-04 to complete remediation by June 28.

Cisco CVE-2026-20230 Is Already Under Attack

Cisco disclosed CVE-2026-20230 earlier this month and rated it as a critical security vulnerability. The flaw is a server-side request forgery (SSRF) issue affecting Cisco Unified Communications Manager Server.

Attackers can exploit the vulnerability remotely without authentication by sending specially crafted HTTP requests to vulnerable systems.

Cisco released security updates on June 3 and acknowledged that proof-of-concept exploit code already existed. At that time, however, the company said it had not observed active attacks targeting the flaw.

That situation changed after security researchers detected real-world exploitation.

Researchers Observe Active Exploitation

Threat detection company Defused recently identified attackers exploiting Cisco CVE-2026-20230 against exposed systems.

According to the researchers, the attacks allowed threat actors to write arbitrary text files to vulnerable endpoints. Although investigators have confirmed exploitation, they have not identified the group responsible for the campaign.

The discovery prompted CISA to classify the vulnerability as actively exploited and accelerate federal remediation requirements.

CISA Adds Critical PTC Vulnerability to KEV Catalog

CISA also added CVE-2026-12569 to its Known Exploited Vulnerabilities Catalog.

The flaw affects PTC Windchill and FlexPLM, two product lifecycle management (PLM) platforms widely used across manufacturing, engineering, retail, apparel, footwear, and consumer goods industries.

Researchers classified the vulnerability as a critical remote code execution (RCE) flaw caused by improper input validation during the deserialization of untrusted data.

PTC disclosed the issue on June 18 and urged customers to install available security updates immediately.

According to the company’s advisory, the vulnerability impacts all Windchill versions up to 11.0 and several releases in the 11.1, 11.2, 12.0, 12.1, and 13.0 branches.

Federal Agencies Face June 28 Deadline

CISA has given federal agencies until June 28 to remediate both vulnerabilities under Binding Operational Directive 26-04.

Organizations that fall under the directive must apply vendor-issued security updates or implement approved mitigation measures before the deadline. If administrators cannot secure affected systems in time, CISA recommends removing the vulnerable products from service until patches become available.

The latest KEV additions highlight how quickly proof-of-concept exploits can develop into active attack campaigns. Organizations running Cisco Unified Communications Manager or affected PTC products should prioritize patching immediately to reduce the risk of compromise.


0 responses to “CISA Orders Immediate Patching of Cisco CVE-2026-20230”