CISA cleared two Known Exploited Vulnerabilities (KEV) batches this fortnight. On Thursday 25 June, due 28 June, it listed a Cisco Unified Communications Manager server-side request forgery (SSRF) flaw, CVE-2026-20230, and a flaw in PTC Windchill, CVE-2026-12569, allowing unauthenticated remote code execution (RCE). On Monday 29 June, due 2 July, came a SimpleHelp single-sign-on (SSO) authentication bypass, CVE-2026-48558, a Cisco Catalyst SD-WAN Manager path traversal, CVE-2026-20262, and a Joomla Widget Factory flaw, CVE-2026-48907. 1
That makes Cisco the most repeat-listed vendor on this beat, with five KEV entries across three product lines since April, following the CVSS-10 Catalyst flaw that the UAT-8616 group was already exploiting in May . An SSRF flaw lets an attacker make a server issue requests on their behalf, reaching systems the attacker cannot touch directly. SimpleHelp is the remote monitoring and management (RMM) tool tied to the 2025 DragonForce campaign against managed service providers (MSPs), and an SSO bypass re-opens the same one-to-many route into every downstream client.
PTC Windchill sits in the product-lifecycle-management (PLM) systems that aerospace, automotive and defence suppliers use to hold engineering data. An unauthenticated RCE there is a supply-chain entry rather than a perimeter one: the attacker needs no credential, and the prize is the design data a supplier holds on behalf of its customers.
