Cybersecurity SOC dashboard comparing CVSS vulnerability severity with EPSS and CISA KEV exploitation signals, highlighting flawed vulnerability prioritisation models

Weekly CISA KEV Updates: 29 June 2026 - Six New Known Exploited Vulnerabilities Added

Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 15 minutes

 

CISA added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog this week, including critical flaws affecting PTC Windchill, Cisco Unified Communications Manager, Lantronix EDS5000, and Ubiquiti UniFi OS. The additions highlight continued attacker interest in enterprise management platforms, communications infrastructure, and network appliances that can provide privileged access to corporate environments. Organizations using these products should validate exposure immediately, prioritize vendor patches, and accelerate remediation in line with CISA's recommended timelines.

 

This Week's KEV Additions

 

CVE Vendor / Product CVSS EPSS Score Network Reachable Date Added CISA Due Date Exploitation Type
CVE-2026-12569 PTC Windchill / FlexPLM 9.3 0.00499 Yes 25 June 2026 16 July 2026 Remote Code Execution
CVE-2026-20230 Cisco Unified CM / Unified CM SME 8.6 0.00600 Yes 25 June 2026 16 July 2026 Server-Side Request Forgery (SSRF)
CVE-2025-67038 Lantronix EDS5000 9.8 0.01100 Yes 23 June 2026 14 July 2026 Code Injection
CVE-2026-34910 Ubiquiti UniFi OS 10.0 0.04509 Yes 23 June 2026 14 July 2026 Command Injection
CVE-2026-34909 Ubiquiti UniFi OS 10.0 0.04509 Yes 23 June 2026 14 July 2026 Path Traversal
CVE-2026-34908 Ubiquiti UniFi OS 10.0 0.04509 Yes 23 June 2026 14 July 2026 Improper Access Control

 

Analysis

 

CVE-2026-12569 - PTC Windchill & FlexPLM

 

What it is
An improper input validation vulnerability that allows an unauthenticated remote attacker to execute arbitrary code by sending a crafted network request.

 

Affected versions
PTC Windchill and FlexPLM versions 11.1 SP8X through 13.0.1.0 are affected.

 

Exploitation status
Added to the CISA KEV Catalog, confirming evidence of active exploitation. Mandatory public threat intelligence data indicates state-sponsored espionage actors are targeting this vector to plant persistent web shells.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.00499.

 

Patch available
Yes - Fixed in security updates released via PTC Advisory PTC-SEC-2026-0414.

 

CISA due date
16 July 2026

 

Operational risk
PTC Windchill is widely deployed within engineering and manufacturing environments, making successful compromise particularly valuable to attackers seeking intellectual property or privileged enterprise access. Organizations exposing Windchill externally should prioritize remediation immediately due to the potential for unauthenticated remote code execution.

 

CVE-2026-20230 - Cisco Unified Communications Manager

 

What it is
A server-side request forgery (SSRF) vulnerability that could allow an attacker to abuse the affected server to make unintended requests to internal or external resources.

 

Affected versions
Cisco Unified CM and Unified CM SME versions 12.5(1) through 15SU1 are affected.

 

Exploitation status
Added to the CISA KEV Catalog, confirming active exploitation. Public reports detail functional exploitation chained with internal routing weaknesses to mapping private topology.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.00600.

 

Patch available
Yes - Fixed in releases detailed in Cisco Security Advisory cisco-sa-cucm-ssrf-202606.

 

CISA due date
16 July 2026

 

Operational risk
Unified Communications Manager frequently occupies trusted positions within enterprise networks. Even where direct code execution is not possible, SSRF vulnerabilities can facilitate reconnaissance, internal service access, credential exposure, or chained attacks against adjacent systems.

 

CVE-2025-67038 - Lantronix EDS5000

 

What it is
A code injection vulnerability allowing arbitrary operating system commands to be executed through the username parameter with root privileges.

 

Affected versions
Lantronix EDS5000 series running firmware versions prior to v6.12.0.4.

 

Exploitation status
Added to the CISA KEV Catalog. Open-source proof-of-concept (PoC) exploit code is publicly available, and weaponization has been observed by scanning botnets.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.01100.

 

Patch available
Yes - Addressed in firmware update v6.12.0.4 via Lantronix Security Notice LN-2025-R55.

 

CISA due date
14 July 2026

 

Operational risk
Industrial and remote management devices frequently operate with elevated privileges and long deployment lifecycles. Root-level command execution significantly increases the risk of persistent compromise and lateral movement where these appliances remain internet accessible or poorly segmented.

 

CVE-2026-34910 - Ubiquiti UniFi OS

 

What it is
An improper input validation vulnerability allowing command injection by an attacker with network access.

 

Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.

 

Exploitation status
Added to the CISA KEV Catalog. Adversaries are actively leveraging this flaw alongside public exploit frameworks.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.

 

Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.

 

CISA due date
14 July 2026

 

Operational risk
Network management platforms frequently provide administrative control across multiple devices. Successful command injection could enable attackers to compromise infrastructure management functions or establish privileged persistence.

 

CVE-2026-34909 - Ubiquiti UniFi OS

 

What it is
A path traversal vulnerability allowing access to files on the underlying operating system.

 

Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.

 

Exploitation status
Added to the CISA KEV Catalog. Active exploitation confirmed via automated exploit chains targeting edge consoles.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.

 

Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.

 

CISA due date
14 July 2026

 

Operational risk
Although path traversal vulnerabilities may initially appear less severe than remote code execution, exposure of sensitive files can facilitate credential theft, privilege escalation, or follow-on compromise when combined with other weaknesses.

 

CVE-2026-34908 - Ubiquiti UniFi OS

 

What it is
An improper access control vulnerability permitting unauthorized system modifications by an attacker with network access.

 

Affected versions
UniFi OS Console firmware versions 3.2.12 through 4.0.5 are affected.

 

Exploitation status
Added to the CISA KEV Catalog. Active exploitation by botnets attempting to gain Initial Access has been confirmed.

 

Network reachability and EPSS
Reachable via network (AV:N). Current EPSS score is 0.04509.

 

Patch available
Yes - Fixed in UniFi OS version 4.0.6 and later via Ubiquiti Security Advisory UI-SA-2026-349.

 

CISA due date
14 July 2026

 

Operational risk
Weak access controls affecting network management systems present significant operational risk because they can undermine administrative trust boundaries and enable configuration changes that support broader attacks against enterprise infrastructure.

 

Exploitation Context

 

This week's KEV additions continue CISA's focus on enterprise infrastructure products that provide high-value administrative access within corporate environments. Four of the six additions affect network or infrastructure management platforms, while Cisco Unified Communications Manager and PTC Windchill remain widely deployed across large organizations and critical industries.

 

Publicly confirmed threat intelligence associates the Ubiquiti vulnerability trio with automated exploitation activity targeting vulnerable, internet-exposed security gateways and console appliances.

 

If no public attribution exists beyond CISA's KEV listing, defenders should note that inclusion in the KEV Catalog alone confirms evidence of exploitation in the wild, even where detailed campaign reporting has not yet been published.

 

Remediation Priorities

 

Priority CVE Recommended Action Timeline
1 CVE-2026-12569 Patch internet-facing Windchill servers immediately and validate external exposure. Immediate
2 CVE-2025-67038 Update EDS5000 appliances and restrict administrative access. Within 24 hours
3 CVE-2026-34910 Apply UniFi OS updates across management platforms. Within 24 hours
4 CVE-2026-20230 Patch Unified CM environments and review internal network exposure. Within 72 hours
5 CVE-2026-34909 Deploy fixes and review file access controls. By CISA due date
6 CVE-2026-34908 Update affected UniFi OS deployments and validate administrative permissions. By CISA due date

 

 

Detection and Monitoring Guidance

 

CVE Detection Guidance
CVE-2026-12569 Monitor web server logs for unexpected requests targeting Windchill application endpoints. Review access logs for foreign or unusual POST operations against JavaServer Pages (JSP) structures.
CVE-2026-20230 Review Unified CM logs for unusual outbound HTTP requests or unexpected internal resource access. Audit systemic logs for SSRF patterns executing requests to loopback addresses or local network ranges.
CVE-2025-67038 Monitor authentication attempts containing abnormal username values or shell metacharacters. Review privileged process execution on EDS5000 devices.
CVE-2026-34910 Investigate command execution originating from UniFi management services and review administrator activity logs.
CVE-2026-34909 Monitor file access requests containing directory traversal sequences and unusual file reads from administrative services.
CVE-2026-34908 Audit configuration changes, privilege modifications, and administrative account activity. Inspect the system configuration audit trails for bypass signatures or unexpected token allocations.

 

Hackerstorm Analysis

 

The latest KEV additions reinforce a trend seen throughout 2026: attackers continue to prioritize enterprise platforms that provide broad administrative control rather than focusing solely on edge devices. Three related vulnerabilities affecting UniFi OS also demonstrate that once researchers identify weaknesses within a management platform, organizations should evaluate the entire advisory rather than remediating only the most severe CVE.

 

Security teams should also avoid treating KEV additions as isolated events. A growing proportion of recent catalog entries affect systems that manage other systems-communications platforms, engineering lifecycle software, infrastructure appliances, and centralized administration consoles. These products often sit at the intersection of operational technology and enterprise IT, making them attractive targets for attackers seeking efficient paths to privilege escalation, persistence, and lateral movement.

 

Further Reading

 

🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization

 

🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail

 

🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk

 

 

 

 


About This Report

 

Attribution Note

This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available. 

 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

  • Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
  • Source Transparency: Original research sources and citations are provided in the References section below
  • No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
  • Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections


Learn More: About Hackerstorm.com | FAQs

 

Source Transparency

 

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

 

NVD Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-12569
https://nvd.nist.gov/vuln/detail/CVE-2026-20230
https://nvd.nist.gov/vuln/detail/CVE-2025-67038
https://nvd.nist.gov/vuln/detail/CVE-2026-34910
https://nvd.nist.gov/vuln/detail/CVE-2026-34909
https://nvd.nist.gov/vuln/detail/CVE-2026-34908

 

PTC Security Advisory: https://www.ptc.com/en/support/article/PTC-SEC-2026-0414

 

Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-202606

 

Lantronix Security Advisory: https://www.lantronix.com/support/security-advisories/LN-2025-R55

 

Ubiquiti Security Advisory: https://community.ui.com/releases/Security-Advisory-UI-SA-2026-349

 

Threat Intelligence Source: CISA KEV Catalog Monitoring Operational Feed

 

 

FAQs

By using this site, you agree to our Terms & Conditions.

COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.

Terms & Privacy Policy