Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 15 minutes
CISA added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog this week, including critical flaws affecting PTC Windchill, Cisco Unified Communications Manager, Lantronix EDS5000, and Ubiquiti UniFi OS. The additions highlight continued attacker interest in enterprise management platforms, communications infrastructure, and network appliances that can provide privileged access to corporate environments. Organizations using these products should validate exposure immediately, prioritize vendor patches, and accelerate remediation in line with CISA's recommended timelines.
| CVE | Vendor / Product | CVSS | EPSS Score | Network Reachable | Date Added | CISA Due Date | Exploitation Type |
| CVE-2026-12569 | PTC Windchill / FlexPLM | 9.3 | 0.00499 | Yes | 25 June 2026 | 16 July 2026 | Remote Code Execution |
| CVE-2026-20230 | Cisco Unified CM / Unified CM SME | 8.6 | 0.00600 | Yes | 25 June 2026 | 16 July 2026 | Server-Side Request Forgery (SSRF) |
| CVE-2025-67038 | Lantronix EDS5000 | 9.8 | 0.01100 | Yes | 23 June 2026 | 14 July 2026 | Code Injection |
| CVE-2026-34910 | Ubiquiti UniFi OS | 10.0 | 0.04509 | Yes | 23 June 2026 | 14 July 2026 | Command Injection |
| CVE-2026-34909 | Ubiquiti UniFi OS | 10.0 | 0.04509 | Yes | 23 June 2026 | 14 July 2026 | Path Traversal |
| CVE-2026-34908 | Ubiquiti UniFi OS | 10.0 | 0.04509 | Yes | 23 June 2026 | 14 July 2026 | Improper Access Control |
What it is
An improper input validation vulnerability that allows an unauthenticated remote attacker to execute arbitrary code by sending a crafted network request.
Affected versions
PTC Windchill and FlexPLM versions 11.1 SP8X through 13.0.1.0 are affected.
Exploitation status
Added to the CISA KEV Catalog, confirming evidence of active exploitation. Mandatory public threat intelligence data indicates state-sponsored espionage actors are targeting this vector to plant persistent web shells.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.00499.
Patch available
Yes - Fixed in security updates released via PTC Advisory PTC-SEC-2026-0414.
CISA due date
16 July 2026
Operational risk
PTC Windchill is widely deployed within engineering and manufacturing environments, making successful compromise particularly valuable to attackers seeking intellectual property or privileged enterprise access. Organizations exposing Windchill externally should prioritize remediation immediately due to the potential for unauthenticated remote code execution.
What it is
A server-side request forgery (SSRF) vulnerability that could allow an attacker to abuse the affected server to make unintended requests to internal or external resources.
Affected versions
Cisco Unified CM and Unified CM SME versions 12.5(1) through 15SU1 are affected.
Exploitation status
Added to the CISA KEV Catalog, confirming active exploitation. Public reports detail functional exploitation chained with internal routing weaknesses to mapping private topology.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.00600.
Patch available
Yes - Fixed in releases detailed in Cisco Security Advisory cisco-sa-cucm-ssrf-202606.
CISA due date
16 July 2026
Operational risk
Unified Communications Manager frequently occupies trusted positions within enterprise networks. Even where direct code execution is not possible, SSRF vulnerabilities can facilitate reconnaissance, internal service access, credential exposure, or chained attacks against adjacent systems.
What it is
A code injection vulnerability allowing arbitrary operating system commands to be executed through the username parameter with root privileges.
Affected versions
Lantronix EDS5000 series running firmware versions prior to v6.12.0.4.
Exploitation status
Added to the CISA KEV Catalog. Open-source proof-of-concept (PoC) exploit code is publicly available, and weaponization has been observed by scanning botnets.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.01100.
Patch available
Yes - Addressed in firmware update v6.12.0.4 via Lantronix Security Notice LN-2025-R55.
CISA due date
14 July 2026
Operational risk
Industrial and remote management devices frequently operate with elevated privileges and long deployment lifecycles. Root-level command execution significantly increases the risk of persistent compromise and lateral movement where these appliances remain internet accessible or poorly segmented.
What it is
An improper input validation vulnerability allowing command injection by an attacker with network access.
Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.
Exploitation status
Added to the CISA KEV Catalog. Adversaries are actively leveraging this flaw alongside public exploit frameworks.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.
Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.
CISA due date
14 July 2026
Operational risk
Network management platforms frequently provide administrative control across multiple devices. Successful command injection could enable attackers to compromise infrastructure management functions or establish privileged persistence.
What it is
A path traversal vulnerability allowing access to files on the underlying operating system.
Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.
Exploitation status
Added to the CISA KEV Catalog. Active exploitation confirmed via automated exploit chains targeting edge consoles.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.
Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.
CISA due date
14 July 2026
Operational risk
Although path traversal vulnerabilities may initially appear less severe than remote code execution, exposure of sensitive files can facilitate credential theft, privilege escalation, or follow-on compromise when combined with other weaknesses.
What it is
An improper access control vulnerability permitting unauthorized system modifications by an attacker with network access.
Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.
Exploitation status
Added to the CISA KEV Catalog. Active exploitation by botnets attempting to gain Initial Access has been confirmed.
Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.
Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.
CISA due date
14 July 2026
Operational risk
Weak access controls affecting network management systems present significant operational risk because they can undermine administrative trust boundaries and enable configuration changes that support broader attacks against enterprise infrastructure.
This week's KEV additions continue CISA's focus on enterprise infrastructure products that provide high-value administrative access within corporate environments. Four of the six additions affect network or infrastructure management platforms, while Cisco Unified Communications Manager and PTC Windchill remain widely deployed across large organizations and critical industries.
Publicly confirmed threat intelligence associates the Ubiquiti vulnerability trio with automated exploitation activity targeting vulnerable, internet-exposed security gateways and console appliances.
If no public attribution exists beyond CISA's KEV listing, defenders should note that inclusion in the KEV Catalog alone confirms evidence of exploitation in the wild, even where detailed campaign reporting has not yet been published.
| Priority | CVE | Recommended Action | Timeline |
| 1 | CVE-2026-12569 | Patch internet-facing Windchill servers immediately and validate external exposure. | Immediate |
| 2 | CVE-2025-67038 | Update EDS5000 appliances and restrict administrative access. | Within 24 hours |
| 3 | CVE-2026-34910 | Apply UniFi OS updates across management platforms. | Within 24 hours |
| 4 | CVE-2026-20230 | Patch Unified CM environments and review internal network exposure. | Within 72 hours |
| 5 | CVE-2026-34909 | Deploy fixes and review file access controls. | By CISA due date |
| 6 | CVE-2026-34908 | Update affected UniFi OS deployments and validate administrative permissions. | By CISA due date |
| CVE | Detection Guidance |
| CVE-2026-12569 | Monitor web server logs for unexpected requests targeting Windchill application endpoints. Review access logs for foreign or unusual POST operations against JavaServer Pages (JSP) structures. |
| CVE-2026-20230 | Review Unified CM logs for unusual outbound HTTP requests or unexpected internal resource access. Audit systemic logs for SSRF patterns executing requests to loopback addresses or local network ranges. |
| CVE-2025-67038 | Monitor authentication attempts containing abnormal username values or shell metacharacters. Review privileged process execution on EDS5000 devices. |
| CVE-2026-34910 | Investigate command execution originating from UniFi management services and review administrator activity logs. |
| CVE-2026-34909 | Monitor file access requests containing directory traversal sequences and unusual file reads from administrative services. |
| CVE-2026-34908 | Audit configuration changes, privilege modifications, and administrative account activity. Inspect the system configuration audit trails for bypass signatures or unexpected token allocations. |
The latest KEV additions reinforce a trend seen throughout 2026: attackers continue to prioritize enterprise platforms that provide broad administrative control rather than focusing solely on edge devices. Three related vulnerabilities affecting UniFi OS also demonstrate that once researchers identify weaknesses within a management platform, organizations should evaluate the entire advisory rather than remediating only the most severe CVE.
Security teams should also avoid treating KEV additions as isolated events. A growing proportion of recent catalog entries affect systems that manage other systems-communications platforms, engineering lifecycle software, infrastructure appliances, and centralized administration consoles. These products often sit at the intersection of operational technology and enterprise IT, making them attractive targets for attackers seeking efficient paths to privilege escalation, persistence, and lateral movement.
🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization
🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail
🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk
This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-12569
https://nvd.nist.gov/vuln/detail/CVE-2026-20230
https://nvd.nist.gov/vuln/detail/CVE-2025-67038
https://nvd.nist.gov/vuln/detail/CVE-2026-34910
https://nvd.nist.gov/vuln/detail/CVE-2026-34909
https://nvd.nist.gov/vuln/detail/CVE-2026-34908
PTC Security Advisory: https://www.ptc.com/en/support/article/PTC-SEC-2026-0414
Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-202606
Lantronix Security Advisory: https://www.lantronix.com/support/security-advisories/LN-2025-R55
Ubiquiti Security Advisory: https://community.ui.com/releases/Security-Advisory-UI-SA-2026-349
Threat Intelligence Source: CISA KEV Catalog Monitoring Operational Feed
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.