
Critical CVEs June 2026: PTC Windchill, Cisco UCM, Ubiquiti UniFi Under Active Attack
The last week of June 2026 produced one of the more varied batches of CISA KEV additions of the year: six vulnerabilities confirmed as actively exploited, spanning industrial PLM software, enterprise communications infrastructure, and network management platforms. PTC Windchill, Cisco Unified Communications Manager, and Ubiquiti UniFi are deployed in thousands of enterprise environments globally — making this batch particularly high-impact.
CVE-2026-12569 — PTC Windchill and FlexPLM RCE (CVSS 9.3)
The highest-severity addition to the June 29 KEV batch, this improper input validation vulnerability in PTC Windchill and FlexPLM allows remote code execution through deserialization of untrusted data. An attacker can send a malicious network request to trigger arbitrary code execution without authentication. PTC confirmed continued exploitation activity even after patches were released, describing "heightened threat activity" and disclosing that attackers are deploying JSP web shells against vulnerable systems.
The indicators of compromise published by PTC include JSP files matching the pattern /Windchill/login/[0-9a-f]{16}.jsp on the filesystem. State-sponsored espionage actors have been attributed to exploitation campaigns targeting Windchill specifically for intellectual property theft from engineering and manufacturing environments.
Action required: Apply PTC Advisory PTC-SEC-2026-0414 immediately. Scan the filesystem for suspicious JSP files. If Windchill is internet-exposed, treat as potentially compromised and initiate incident response.
CVE-2026-20230 — Cisco Unified Communications Manager SSRF
Cisco Unified Communications Manager contains a server-side request forgery vulnerability that allows an attacker to abuse the affected server to make unintended requests to internal or external resources. UCM occupies trusted positions within enterprise networks — SSRF vulnerabilities in this context enable reconnaissance, internal service access, credential exposure, and chained attacks against adjacent systems. Active exploitation has been observed using the SSRF to map internal network topology as a precursor to lateral movement.
Action required: Apply Cisco security advisory cisco-sa-cucm-ssrf-202606 immediately. Review UCM access logs for unusual outbound request patterns. Ensure UCM is not directly internet-exposed.
Ubiquiti UniFi OS — Three Simultaneous CVEs
Three related vulnerabilities affecting Ubiquiti UniFi OS were added to the KEV catalog simultaneously on June 29, signaling a coordinated exploitation campaign against the platform. The trio includes a command injection vulnerability fixed in UniFi OS 4.0.6 via Ubiquiti Security Advisory UI-SA-2026-349, a path traversal vulnerability affecting console firmware versions 3.2.12 through 4.0.5, and a third flaw in the UniFi management platform. Publicly confirmed threat intelligence associates the trio with automated exploitation activity targeting internet-exposed security gateways and console appliances.
Action required: Update all UniFi OS consoles to version 4.0.6 or later immediately. Verify that UniFi management interfaces are not directly exposed to the internet. Review the full Ubiquiti security advisory — all three CVEs are being exploited as a chain.
The strategic targeting pattern of June 2026
Three distinct target categories appeared in the same KEV batch: industrial PLM, enterprise communications infrastructure, and network management platforms. This distribution reflects a deliberate attacker strategy: targeting platforms that provide broad administrative control and network visibility rather than hunting for isolated system access. A compromised Windchill server leaks engineering IP to espionage actors. A compromised Cisco UCM server enables communication interception and internal network mapping. A compromised UniFi console provides control of the entire network infrastructure it manages.
Teams should prioritize patching these categories of platforms ahead of traditional perimeter security tools. Successful exploitation of administrative platforms frequently provides attackers with access to every system those platforms touch.
Track actively exploited CVEs across your stack on EOLCanary.
