KEV Intelligence Brief — June 29, 2026

Prepared for: Federal Contractors · DevOps & Platform Teams · Security Operations Leaders Issued: Monday, June 29, 2026 | Catalog Window: June 16–25, 2026

Eight vulnerabilities added to CISA's KEV catalog over the past two weeks span enterprise PLM platforms, unified communications infrastructure, networking gear, and web content management — with several patch deadlines already elapsed. All entries carry BOD 26-04 obligations. Federal agencies and their contractors are out of time on most of these; commercial operators should treat them with equivalent urgency given confirmed exploitation.

Overdue and Critical: Unauthenticated RCE Across Enterprise Infrastructure

The most technically severe cluster in this cycle involves vulnerabilities that require no authentication and enable direct code execution or privileged file manipulation — the conditions threat actors prize most.

CVE-2026-12569 (PTC Windchill and FlexPLM, deadline: June 28) represents the highest-stakes entry in this brief. Windchill is deeply embedded in defense and aerospace supply chains as a product lifecycle management backbone; FlexPLM serves retail and apparel manufacturing. An unauthenticated remote attacker can send a malicious network request to achieve arbitrary code execution — no credentials, no prior access required. If your organization runs Windchill or FlexPLM with any internet-facing exposure, that exposure should have been eliminated before the deadline passed yesterday. If patching is not yet complete, isolate affected systems at the network perimeter immediately, review ingress logs for anomalous POST traffic to API endpoints, and initiate vendor-guided forensic triage per BOD 26-04 requirements before reintroducing connectivity.

CVE-2026-20230 (Cisco Unified Communications Manager and Unified CM SME, deadline: June 28) is a server-side request forgery vulnerability that permits unauthenticated file writes to the underlying OS — a stepping stone to root escalation. Cisco Unified CM is pervasive in federal and enterprise telephony environments, and SSRF-to-file-write chains in this class of product have historically been leveraged for persistent backdoor installation. Administrators should apply Cisco's advisory patches immediately, audit recent file system changes in /tmp and application directories, rotate service account credentials, and verify that Unified CM management interfaces are not exposed directly to untrusted networks. Both CVE-2026-12569 and CVE-2026-20230 share the same June 28 deadline — as of today, both are overdue.

CVE-2026-20253 (Splunk Enterprise, deadline: June 21 — now eight days overdue) allows an unauthenticated user to create or truncate arbitrary files through an exposed PostgreSQL sidecar service endpoint. In a SIEM context, the implications extend beyond the Splunk platform itself: an attacker who can truncate log files or inject synthetic records can blind your detection capability and manipulate audit trails. Splunk Enterprise environments that have not yet patched should immediately restrict network access to the PostgreSQL sidecar port (typically 5432) to localhost or trusted management subnets only, then patch without delay. Forensic review of recent file activity around Splunk's data and configuration directories is warranted given the elapsed deadline.