Critical RCE Flaw Hits PTC Windchill, FlexPLM Under Active Attack
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 29, 2026
cybr.cx Daily Digest — June 29, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM | No NVD CVSS yet
This is the most urgent item in today's feed. An unauthenticated remote attacker can send a malicious network request to achieve arbitrary code execution against PTC Windchill and FlexPLM — product lifecycle management platforms widely deployed in manufacturing, defence, and aerospace supply chains. CISA added this to the KEV catalogue on June 25 with a patch deadline of June 28, which has now passed. If you have internet-facing Windchill or FlexPLM instances, treat this as an active incident until patched.
⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | No NVD CVSS yet
A server-side request forgery (SSRF) flaw in Cisco Unified CM and Unified CM SME allows an unauthenticated remote attacker to write arbitrary files to the underlying operating system — effectively a pre-auth file write primitive on your phone system. CISA's patch deadline was June 28. Unified CM is a common target in enterprise environments and a foothold here can pivot to adjacent internal infrastructure. Patch or isolate immediately.
⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | No NVD CVSS yet
The Lantronix EDS5000 serial device server contains a command injection flaw in the username parameter — injected commands execute with root privileges. These devices are frequently embedded in OT/ICS environments bridging serial hardware to IP networks, which makes exploitation particularly dangerous in critical infrastructure contexts. CISA's deadline was June 26. If you can't patch, take these off the network.
⚠️ Actively exploited — CVE-2026-34908 / 34909 / 34910 | Ubiquiti UniFi OS | No NVD CVSS yet
Three separate actively exploited flaws affect Ubiquiti UniFi OS: improper access control allowing unauthorised system changes (34908), path traversal enabling file access and potential account compromise (34909), and command injection for network-adjacent attackers (34910). These are often chained. UniFi hardware is ubiquitous in SMB and home-lab environments, but also common in enterprise branch networks. All three hit CISA KEV on June 23 — deadline has passed.
CVE-2026-58049 | FFmpeg libavcodec (RASC decoder) | CVSS 8.6 — HIGH
FFmpeg's RASC video decoder performs boundary validation in pixel units rather than bytes and doesn't check row limits before writing, allowing a crafted media file to trigger an out-of-bounds read/write in libavcodec. Any application or service that ingests untrusted media through FFmpeg — transcoding pipelines, media servers, video platforms — is exposed. Given FFmpeg's ubiquity, prioritise patching in production media processing environments.
CVE-2026-8095 | WordPress Frontend File Manager Plugin ≤ 23.6 | CVSS 8.1 — HIGH
An authenticated attacker can delete arbitrary files on the server by supplying an uppercase WPFM_DIR_PATH parameter value, bypassing a case-sensitive sanitisation check that sanitize_key() then normalises back to the expected lowercase form. The bypass is trivially simple — any user who can authenticate to the WordPress AJAX endpoint is a potential attacker. WordPress site operators should update to 23.7 or disable the plugin.
CVE-2026-58056 | RustDesk | CVSS 7.6 — HIGH
RustDesk's capability flag system doesn't isolate session types correctly. A peer authorised only for file transfer can inject keyboard and mouse input and reach screenshot and display-capture handlers — effectively escalating from file access to full remote control. This is particularly concerning in environments using RustDesk as a self-hosted remote support alternative. Verify session authorisation logic and update to a patched build.
CVE-2026-13485 / 13486 / 13487 / 13488 | SourceCodester Class and Exam Timetabling System 1.0 | CVSS 7.3 — HIGH
Four separate SQL injection points across /preview.php, /preview6.php, /archive.php, and /preview7.php — all remotely exploitable, all with public exploits. This is a low-stakes open-source academic tool, but publicly available exploits mean automated scanners will find exposed instances quickly. If you're running it, take it offline or firewall it immediately.
Headline News
Russian Intelligence Pivots to Signal Recovery Keys in Credential Theft Campaign
A joint advisory from the FBI and CISA has expanded on earlier warnings about Russian intelligence targeting encrypted messaging accounts, adding significant new technical detail: operators are now specifically targeting Signal's linked device backup recovery keys to gain persistent, long-term access to message history rather than simply intercepting individual sessions. The campaign — attributed to Russian intelligence services — has targeted government officials, military personnel, and defence-adjacent individuals in Ukraine and allied nations, using fake mobile carrier support messages as the phishing lure. The Security Service of Ukraine confirmed its involvement in the investigation alongside the FBI. For practitioners, the key shift here is the persistence angle: compromising a recovery key doesn't just expose current messages, it enables silent historical access and potential long-term account shadowing. Organisations whose staff use Signal for sensitive communications should audit linked devices, rotate recovery keys, and consider whether Signal's linked-device feature is necessary in high-threat-model contexts.
QR Code Brushing Scams Reach Physical Mailboxes
A wave of "empty envelope" incidents is surfacing across the US — physical mail arriving with nothing inside except a QR code, designed to redirect victims to credential-harvesting sites or malware delivery pages. The underlying mechanic is a brushing scam variant: sellers use real mailing addresses to establish fake verified purchase reviews, but the new variant adds an active phishing component via the embedded QR code. The threat model here is broader than it first appears — physical post bypasses every email and web filter in your security stack, and QR codes are notoriously difficult for users to pre-validate before scanning. For security awareness programmes, this is a timely reminder that phishing delivery has no channel restrictions, and that "don't scan unknown QR codes" deserves the same airtime as "don't click unknown links." Organisations with physical mail rooms should brief staff explicitly on this tactic.
Schrödinger's Feed
No quantum data landed in today's feed — the qubits appear to have collapsed into a null state. Quantum computing is advancing fast enough that a quiet day is itself worth noting: the field moves in bursts of preprint-driven news, and the gaps between major announcements are shrinking. Practitioners should maintain standing alerts on NIST PQC implementation guidance and watch for any new cryptographic migration advisories — the "harvest now, decrypt later" threat doesn't pause on slow news days.
/dev/random
Apple's proprietary AirPods protocol has been reverse-engineered and documented in a project called LibrePods, enabling features like automatic ear detection, battery status, and noise control toggling on non-Apple operating systems — without requiring Apple's closed-source stack. The project essentially picked the lock on a Bluetooth-adjacent proprietary protocol that Apple had never documented, using traffic analysis and careful reverse engineering. The security angle is mild but real: undocumented proprietary protocols have a habit of containing unexpected trust assumptions, and now that the protocol is open, formal analysis becomes possible. Also, your AirPods are officially freer than your smartphone.