CISA Sounds the Alarm: Two Critical Zero-Day Flaws in Cisco and PTC PLM Software Are Being Exploited Right Now—Patch Within 48 Hours! + Video

By /

Listen to this Post

Featured Image

Introduction:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that active exploitation is underway in the wild. One flaw enables remote code execution in PTC Windchill and FlexPLM—product lifecycle management (PLM) systems trusted by defense, aerospace, and automotive giants like Lockheed Martin and Boeing—while the other allows server-side request forgery (SSRF) in Cisco Unified Communications Manager (Unified CM). With CISA mandating federal agencies to remediate both by June 28, 2026, private organizations are strongly urged to follow suit immediately.

Learning Objectives:

  • Understand the technical mechanics of CVE-2026-12569 (PTC Windchill/FlexPLM RCE) and CVE-2026-20230 (Cisco Unified CM SSRF).
  • Learn step-by-step mitigation, patching, and workaround procedures for both vulnerabilities across Linux and Windows environments.
  • Master detection techniques, including log analysis, indicator of compromise (IoC) hunting, and web shell discovery.
  • Implement network-level hardening and access controls to reduce attack surface while awaiting patches.

You Should Know:

  1. CVE-2026-12569: Critical RCE in PTC Windchill and FlexPLM via Unsafe Deserialization

This vulnerability, rated 9.3 on the CVSS scale, stems from improper input validation in the web-based Windchill PDMLink component. An unauthenticated remote attacker can exploit insecure deserialization of untrusted data to execute arbitrary code on the underlying server. PTC began releasing patches on June 17, 2026, for versions 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020, and 11.0 M030. However, attackers have already been deploying persistent JSP webshells on compromised instances, enabling ongoing remote command execution and data exfiltration.

Step-by-Step Mitigation & Patching Guide:

Step 1: Identify Affected Versions

  • Check your Windchill/FlexPLM version via the admin console or by reviewing the `build.properties` file in the installation directory.
  • Affected: All CPS versions and releases prior to 11.0 M030.

Step 2: Apply Official Patches Immediately

  • Download the appropriate patch from PTC’s Software Download portal for your version:
  • Windchill 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020, 11.0 M030
  • On Windows Server, stop the Windchill services before applying: 
    net stop "Windchill Directory Server"
net stop "Apache Tomcat" / "Windchill"
  • Apply the patch using the PTC Solution Installer (PSI) or manual JAR replacement as per vendor instructions.
  • Restart services after patch completion: 
    net start "Windchill Directory Server"
net start "Apache Tomcat"

Step 3: If Patching Is Not Immediately Possible—Implement Workarounds
– Restrict network access to the Windchill web interface (typically ports 8080/8443) using host-based firewalls or network ACLs. Allow only trusted IP ranges.
– On Linux, use iptables:

iptables -A INPUT -p tcp --dport 8080 -s <trusted_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

– On Windows, use the advanced firewall:

New-1etFirewallRule -DisplayName "Block Windchill Public" -Direction Inbound -LocalPort 8080 -Protocol TCP -Action Block -RemoteAddress Any

Step 4: Hunt for Indicators of Compromise (IoCs)

PTC has published IoCs, including suspicious JSP files and webshell patterns. Check the Windchill web application directory (e.g., \ptc\Windchill\codebase) for unexpected `.jsp` files. On Linux:

find /opt/ptc/Windchill/codebase -1ame ".jsp" -mtime -7 -type f

On Windows (PowerShell):

Get-ChildItem -Path "C:\ptc\Windchill\codebase" -Recurse -Include .jsp | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

– Review Tomcat access logs (localhost_access_log..txt) for unusual POST requests to JSP endpoints.
– Search for outbound connections to unknown external IPs from the Windchill server.

  1. CVE-2026-20230: Cisco Unified CM SSRF Leading to Privilege Escalation

This flaw (CVSS 8.6) allows an unauthenticated remote attacker to perform server-side request forgery by sending specially crafted HTTP requests to an affected Cisco Unified Communications Manager or Unified CM SME device. The root cause is improper input validation in specific HTTP request handling. Critically, while exploitation requires the WebDialer service to be enabled (disabled by default), successful SSRF can allow the attacker to write files to the underlying OS, which may later be leveraged to escalate privileges to root. Public proof-of-concept (PoC) code is already available.

Step-by-Step Mitigation & Hardening Guide:

Step 1: Verify WebDialer Service Status

  • Log in to the Cisco Unified CM Administration interface.
  • Navigate to System > Service Parameters.
  • Select the server and service “Cisco CallManager”.
  • Locate the parameter “Enable WebDialer”—if set to True, it is enabled.

Step 2: Disable WebDialer If Not Required

  • If your organization does not use WebDialer, set the parameter to `False` and restart the Cisco CallManager service.
  • This eliminates the attack vector entirely.

Step 3: Apply Cisco Patch

  • Cisco has released fixed versions. Check the Cisco Security Advisory for your Unified CM version.
  • On Linux-based Cisco Unified CM, apply the patch using the Cisco Unified OS Administration interface or via the command line: 
    utils system upgrade install <patch_filename>

Step 4: Implement Network Segmentation

  • Restrict access to the Unified CM administration and web interfaces (ports 443, 8443) to only authorized management subnets.
  • Use access control lists (ACLs) on the network devices: 
    access-list 101 permit tcp <mgmt_subnet> <wildcard> host <CUCM_IP> eq 443
access-list 101 deny ip any host <CUCM_IP> eq 443

Step 5: Monitor for SSRF Attempts

  • Enable detailed logging on Cisco Unified CM: System > Logging > Log Profiles.
  • Monitor the Event Viewer for unusual HTTP requests containing internal IP addresses or localhost references.
  • Use Cisco RTMT (Real-Time Monitoring Tool) to alert on suspicious patterns.

3. Broader Implications for PLM and UC Security

The active exploitation of PTC Windchill—marking the first-ever PTC product vulnerability added to CISA’s KEV catalog—is a watershed moment for industrial and manufacturing cybersecurity. PLM systems are repositories of crown-jewel intellectual property, including CAD designs, bills of materials, and engineering workflows. A successful breach can lead to industrial espionage, supply chain compromise, and extortion. Meanwhile, the Cisco Unified CM SSRF vulnerability underscores the risk of seemingly minor misconfigurations (like enabling WebDialer) cascading into full system takeover.

Step-by-Step Hardening for PLM and UC Environments:

Step 1: Enforce Principle of Least Privilege

  • Ensure Windchill and Unified CM service accounts have minimum necessary permissions.
  • On Windows, use `icacls` to restrict file system permissions: 
    icacls "C:\ptc\Windchill" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F"

Step 2: Enable Comprehensive Auditing

  • On Windows, enable audit policy for process creation and object access: 
    auditpol /set /category:"Detailed Tracking" /subcategory:"Process Creation" /success:enable /failure:enable
  • On Linux, enable auditd to monitor the Windchill directory: 
    auditctl -w /opt/ptc/Windchill/ -p wa -k windchill_changes

Step 3: Deploy Web Application Firewall (WAF) Rules

  • If a WAF sits in front of Windchill or Unified CM, add rules to block deserialization payloads and SSRF patterns (e.g., requests containing 127.0.0.1, 169.254.169.254, or internal IP ranges).

Step 4: Regular Vulnerability Scanning

  • Integrate CISA’s KEV catalog into your vulnerability management lifecycle. Scan for CVE-2026-12569 and CVE-2026-20230 using tools like Nessus or Qualys.
  • On Linux, use `nmap` to check for exposed services: 
    nmap -p 8080,8443,443 <target_IP> --script=http-title

4. Detection and Incident Response Playbook

Given active exploitation, organizations must assume compromise if they have not yet patched. Immediate detection and response are critical.

Step-by-Step IR Actions:

Step 1: Isolate Affected Systems

  • If IoCs are found, isolate the Windchill or Unified CM server from the network to prevent lateral movement.
  • On Linux: 
    ip link set <interface> down
  • On Windows (PowerShell): 
    Disable-1etAdapter -1ame "<AdapterName>" -Confirm:$false

Step 2: Capture Forensic Artifacts

  • Collect memory dumps, logs, and file system snapshots.
  • On Linux, use `tar` to archive critical directories: 
    tar -czvf windchill_forensic_$(date +%Y%m%d).tgz /opt/ptc/Windchill/logs /var/log/tomcat
  • On Windows, use built-in tools or third-party forensic suites.

Step 3: Eradicate Web Shells

  • Delete any unauthorized JSP files. Verify integrity of core Windchill JAR files against known good hashes from PTC.
  • Reset all credentials associated with the application and service accounts.

Step 4: Report to CISA

  • If you are a federal agency or critical infrastructure, report the compromise to CISA via the provided channels.

What Undercode Say:

  • Key Takeaway 1: The addition of these vulnerabilities to CISA’s KEV catalog is not a warning—it is a mandate. Federal agencies have just 48 hours to patch; private enterprises should treat this as an emergency response trigger.
  • Key Takeaway 2: The PTC Windchill RCE is particularly dangerous because PLM systems are often considered “business-critical” but not always treated as security-critical. Attackers are leveraging this gap to deploy persistent webshells, turning IP repositories into backdoors.
  • Key Takeaway 3: The Cisco SSRF flaw highlights how a default-disabled feature (WebDialer) can become an Achilles’ heel if enabled without proper risk assessment. Organizations must audit all enabled services and disable unnecessary functionality.

Analysis: The convergence of these two vulnerabilities—one targeting operational technology-adjacent PLM systems and the other targeting enterprise communications—signals a broadening of threat actor focus beyond traditional IT infrastructure. Manufacturing, defense, and aerospace sectors are now squarely in the crosshairs. The fact that German police physically alerted companies about an earlier Windchill zero-day in March 2026 underscores the severity and geopolitical dimensions of these threats. Organizations must adopt a zero-trust architecture for all enterprise applications, not just perimeter defenses. Furthermore, the availability of public PoC for the Cisco flaw means that script-kiddie-level actors can now join sophisticated APT groups in exploiting unpatched systems. This is a race against time where patch management, continuous monitoring, and rapid incident response are the only defenses.

Prediction:

  • +1 The heightened awareness from CISA’s KEV addition will accelerate patch adoption in the private sector, potentially reducing the window of exploitation for newly discovered flaws going forward.
  • -1 However, the sophistication of the PTC webshell deployment suggests that many organizations may already be compromised without knowing it. Expect a wave of breach disclosures in the coming weeks as forensic investigations uncover long-standing backdoors.
  • -1 The success of this attack campaign will likely inspire threat actors to target other PLM and product data management (PDM) platforms, including Siemens Teamcenter and Dassault Systèmes ENOVIA, as copycat attacks emerge.
  • +1 On the positive side, this incident will drive increased investment in application security for industrial software, pushing vendors like PTC to adopt more rigorous secure development lifecycle (SDLC) practices and faster patch release cycles.
  • -1 The Cisco SSRF vulnerability, while requiring WebDialer to be enabled, demonstrates that even “high-complexity” flaws can be trivially exploited when misconfigurations exist. Expect an increase in SSRF-related attacks across all Cisco Unified CM deployments globally.
  • -1 With CISA mandating a 48-hour remediation window, many overstretched IT teams will struggle to meet the deadline, leading to rushed patching that could introduce stability issues in critical production environments—trading security for operational risk.

▶️ Related Video (64% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Dlross Us – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: