CISA ordered all federal civilian agencies to patch CVE-2026-20230 in Cisco Unified Communications Manager by June 28, a three-day window under Binding Operational Directive 26-04 that opened the moment the flaw landed in the Known Exploited Vulnerabilities catalog.
The bug is a server-side request forgery in the WebDialer component. An unauthenticated attacker can send a crafted HTTP request to write arbitrary files to the underlying OS. Cisco’s June 3 advisory rated it critical and noted that a proof-of-concept already existed, but the company reported no active exploitation at the time.
That changed last weekend. Threat detection startup Defused caught attackers exploiting CVE-2026-20230 to write arbitrary text files to affected endpoints. Who’s behind the campaign isn’t known.
CISA added a second flaw to the same June 28 deadline: CVE-2026-12569, a critical remote code execution vulnerability in PTC Windchill and FlexPLM, product lifecycle management platforms used across manufacturing, engineering, retail, footwear, apparel, and consumer products. PTC disclosed the issue June 18 and urged immediate remediation; CISA added it to the KEV catalog June 25. The flaw affects all versions up to and including 11.0 and multiple release branches through 13.0.
The Cisco timeline tells the real story. Cisco patched June 3, a PoC was already in hand, and exploitation was confirmed three weeks later. BOD 26-04’s three-day remediation clock assumes agencies are close to current. Any FCEB agency sitting three weeks behind on the Cisco fix doesn’t have until Sunday. It’s Sunday now.
James Okafor