CISA Adds CVE‑2026‑12569 (PTC Windchill) and CVE‑2026‑20230 (Cisco Unified Communications Manager) to KEV Catalog – Active Exploitation Confirmed
What It Is — CISA announced that two vulnerabilities—an improper input‑validation flaw in PTC Windchill/FlexPLM (CVE‑2026‑12569) and a server‑side request‑forgery issue in Cisco Unified Communications Manager (CVE‑2026‑20230)—have been observed in the wild and are now listed in the Known Exploited Vulnerabilities (KEV) catalog.
Exploitability — Both CVEs have publicly documented evidence of active exploitation; CVSS scores are 8.6 (Windchill) and 9.1 (Cisco) respectively.
Affected Products — PTC Windchill and FlexPLM platforms; Cisco Unified Communications Manager (UCM) software.
Why It Matters for Compliance & Audit Readiness
- Control‑mapping frameworks (e.g., SOC 2 CC6.1 – Secure Development) require documented evidence that input‑validation and request‑validation controls are implemented and continuously monitored.
- A KEV listing raises the risk profile that auditors will probe; having real‑time remediation evidence shortens the audit gap and demonstrates due diligence.
- Storing patch‑status logs and configuration snapshots in a trusted evidence repository (e.g., Verisq’s Trust Center) provides immutable proof of remediation, satisfying both BOD 26‑04 and SOC 2 readiness expectations.
Recommended Actions
- Map CVE‑2026‑12569 and CVE‑2026‑20230 to the relevant SOC 2 controls (CC6.1, CC7.1, etc.).
- Verify that every publicly‑exposed instance of Windchill, FlexPLM, and Cisco UCM is patched to the vendor‑released fix; capture patch‑status logs as audit evidence.
- Deploy continuous vulnerability scanning and feed results into a control‑evidence platform for ongoing compliance monitoring.
- Update internal vulnerability‑management policies to reflect BOD 26‑04 requirements and prioritize KEV‑catalog items.
Source: CISA Advisory – 25 June 2026