This brief covers cyber/InfoSec developments from the trailing ~48 hours (June 25–27, 2026). Every item below was confirmed against its primary advisory or the CISA KEV catalog, and only items with a primary-source disclosure inside the window are included.
CISA adds actively exploited Cisco Unified CM SSRF flaw (CVE-2026-20230) to KEV
Cisco · June 25, 2026
CISA added CVE-2026-20230 to its Known Exploited Vulnerabilities catalog on June 25, 2026, with a June 28 remediation deadline for federal agencies. The flaw is a server-side request forgery (CWE-918) vulnerability in Cisco Unified Communications Manager and Unified CM SME, carrying a CVSS 3.1 base score of 8.6 and a Cisco Security Impact Rating of Critical. An unauthenticated, remote attacker can send a crafted HTTP request to write files to the underlying OS and later escalate to root; exploitation requires the WebDialer service, which is disabled by default. Cisco first published the advisory on June 3 and has released fixed software (14SU6, 15SU5/COP1); public PoC code exists and outlets reported in-the-wild exploitation over the weekend prior to the KEV listing.
“A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” — Cisco Security Advisory cisco-sa-cucm-ssrf-cXPnHcW
Source: Cisco advisory · CISA KEV alert · BleepingComputer
PTC Windchill / FlexPLM RCE (CVE-2026-12569) added to KEV as web-shell attacks continue
PTC · June 25, 2026
CISA also added CVE-2026-12569 to the KEV catalog on June 25, 2026, with a June 28 deadline. The vulnerability is a critical remote code execution flaw (reported CVSS 9.3) in PTC’s Windchill PDMLink and FlexPLM product lifecycle management software, exploitable by an unauthenticated, remote attacker via deserialization/improper input validation. Attackers are dropping persistent JSP web shells (named with 16 hex characters under the Windchill login directory) for remote command execution and data exfiltration. PTC began releasing version-specific patches on June 17 and, in a June 25 update, published new indicators of compromise amid escalating activity. Given Windchill’s deployment across automotive, aerospace, defense, and manufacturing, the flaw poses a notable supply-chain risk.
“Over the last several hours, we’ve received continued reports of heightened threat activity. We urge you to apply all patches and remediations immediately.” — PTC Trust Center advisory, June 25, 2026 update
Source: PTC advisory · CISA KEV alert · The Hacker News
JFrog publishes working “DirtyClone” Linux kernel root exploit (CVE-2026-43503)
JFrog Security Research · June 25, 2026
JFrog Security Research published a full exploit walkthrough on June 25, 2026 for CVE-2026-43503, a high-severity (CVSS 8.8) local privilege escalation in the Linux kernel they dubbed “DirtyClone,” the first public demonstration for this DirtyFrag-family variant. The bug lives in the XFRM/IPsec path: cloning via __pskb_copy_fclone() drops the SKBFL_SHARED_FRAG safety flag, letting in-place IPsec decryption overwrite file-backed page-cache memory (e.g., patching /usr/bin/su in RAM) to gain root. Any local user able to acquire CAP_NET_ADMIN—often via unprivileged user namespaces—can exploit it, making multi-tenant cloud, Kubernetes, and container hosts the highest-risk environments. The fix was merged to mainline on May 21 (v7.1-rc5); Debian, Ubuntu, and Fedora are confirmed affected absent the full patch chain. No in-the-wild exploitation has been reported.
“The severity of this issue is significant because it allows any unprivileged local user to gain root access (LPE) by manipulating the Linux page cache. The attack is silent, leaves no kernel logs or audit traces, and bypasses common on-disk integrity monitoring tools.” — JFrog Security Research
Source: JFrog Security Research · CVE.org
This brief covers the trailing ~48 hours (June 25–27, 2026).
Primary sources: