██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

PTC Windchill RCE Exploited Actively — Patch Deadline Passed

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 27, 2026

Share

cybr.cx Daily Digest — June 27, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM | CVSS: N/A (KEV)
This one needs your immediate attention. An unauthenticated remote code execution vulnerability in PTC's Windchill and FlexPLM platforms is being actively exploited right now, with a CISA remediation deadline of yesterday (June 28). These are enterprise PLM/supply chain systems used heavily in manufacturing and defence sectors — exactly the kind of high-value target that attracts sophisticated threat actors. Patch or isolate affected instances immediately.

⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | CVSS: N/A (KEV)
An unauthenticated SSRF in Cisco Unified CM and Unified CM SME allows remote attackers to write arbitrary files to the underlying OS — effectively a path to full system compromise without credentials. Also past its CISA due date. If Unified CM is internet-adjacent or accessible from untrusted network segments, treat this as critical priority.

⚠️ Actively exploited — CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 | Ubiquiti UniFi OS | CVSS: N/A (KEV)
Three UniFi OS vulnerabilities were added to CISA KEV on June 23 and are being chained in the wild: improper access control (34908), path traversal enabling file access and account manipulation (34909), and command injection (34910). UniFi gear is ubiquitous in SMBs and prosumer environments — check your controller firmware version now. The combination of all three makes full device takeover straightforward for an attacker with network access.

⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | CVSS: N/A (KEV)
OS command injection via the username parameter on Lantronix EDS5000 serial device servers, with injected commands running as root. OT/ICS environments using these devices for serial-to-network bridging should assume exposure and patch or isolate immediately — serial device servers sitting on OT networks are attractive lateral movement pivot points.

CVE-2026-45405 & CVE-2026-45406 | Dokku | CVSS: 9.0 (CRITICAL)
Two critical vulnerabilities in the popular open-source PaaS platform Dokku, both fixed in 0.38.2. The first (45405) allows arbitrary file writes via symlink traversal during tar/zip archive extraction in git:from-archive and certs:add commands. The second (45406) allows command injection through unescaped filenames in the openresty-vhosts plugin — a single quote in a filename breaks shell quoting and gets executed. If you're self-hosting Dokku, upgrade to 0.38.2 without delay; both bugs are attacker-controllable with standard user access.

CVE-2026-56773 | Teable v2 REST API | CVSS: 8.8 (HIGH)
Missing @Permissions metadata on ORPC endpoints in Teable's v2 API means any authenticated user can read table schemas, create tables, and modify or delete records across the entire instance. In a multi-tenant or team environment this is effectively a full authorization bypass on your data layer. Update to a patched release and audit recent API activity.

CVE-2026-32833 | Cudy LT300 Router (firmware < 2.5.12) | CVSS: 8.8 (HIGH)
Authenticated OS command injection via the NTP time configuration interface — specifically the cbid.system.ntp.current POST parameter. Exploitation requires authentication, but default or weak credentials on SOHO routers make this a low bar. Update firmware to 2.5.12 or later.

CVE-2026-48615 | Node.js 22/24/26 | CVSS: 7.5 (HIGH)
Proxy credentials embedded in proxy URLs can leak into ERR_PROXY_TUNNEL error messages, where they may be captured by logs or error monitoring pipelines. In CI/CD environments where Node.js processes authenticate to upstream proxies, this could silently expose credentials to observability tooling. Review logging pipelines and update to patched Node.js releases.

CVE-2026-48619 | Node.js 22/24/26 | CVSS: 7.5 (HIGH)
A malicious HTTP/2 server can send unlimited ORIGIN frames to a Node.js client, causing out-of-memory crashes. Relevant if your Node.js services make outbound HTTP/2 requests to untrusted or attacker-controlled endpoints.

CVE-2025-71324 | Flowise < 3.0.6 | CVSS: 7.5 (HIGH)
Path traversal in the chatId parameter of two file-serving endpoints allows unauthenticated arbitrary file reads from the server. The storage-directory containment check can be bypassed via a fallback lookup path. If you're running Flowise for LLM workflows, upgrade to 3.0.6 and review whether these endpoints were exposed.


Headline News

Polymarket Loses $3M in Third-Party Supply Chain Compromise
Prediction market platform Polymarket confirmed that approximately $3 million was drained from user accounts after attackers compromised a third-party vendor and injected malicious JavaScript into the platform's website. Blockchain analytics firm PeckShield tracked the on-chain movements, providing rare public visibility into the theft's scale. The attack follows the now-familiar web3 supply chain playbook: rather than attacking the smart contracts or the chain itself, adversaries targeted the mutable web frontend — the weakest link in any dApp's trust model. For practitioners, this is another data point in the argument for subresource integrity checks, vendor security reviews, and aggressive Content Security Policies on any financial platform, crypto-native or otherwise.

Fake USB Drives Delivered Malware to Japan's Ground Self-Defense Force
Counterfeit USB flash drives distributed within Japan's Ground Self-Defense Force were found to contain China-linked malware that propagated inside a secured network for nearly a year before detection. The drives were supplied through what appeared to be a legitimate procurement channel, suggesting either a sophisticated supply chain insertion or a compromised vendor relationship. The sustained dwell time — close to twelve months — before discovery points to either low-detectability malware, inadequate endpoint monitoring on air-gapped or restricted networks, or both. For defenders, the incident is a blunt reminder that physical media controls and hardware supply chain vetting are not solved problems, even in military contexts.

Tata Electronics Confirms Breach; 630GB Allegedly Includes Apple and Tesla Supplier Data
Tata Electronics has confirmed a cybersecurity breach weeks after threat actors claimed to have exfiltrated 630GB of data, with the stolen material allegedly including sensitive documents related to Apple and Tesla supply chain operations. The confirmation follows the data being published online, shifting the incident from an unverified claim to a verified exposure. Tata Electronics manufactures iPhone components and serves as a critical node in Apple's India-based production diversification strategy, giving this breach potential supply chain intelligence value well beyond a typical corporate compromise. Organisations downstream in complex manufacturing supply chains should assess whether any shared data or credentials with Tata Electronics warrant rotation or review.


Schrödinger's Feed

A former Microsoft Quantum employee has founded a new Chinese-based startup that has already secured pre-Series A funding — a development that sits at the intersection of quantum hardware talent migration and the increasingly fraught geopolitics of quantum technology. Quantum computing expertise is becoming a strategic resource in its own right, and the movement of senior researchers between major national programmes is now attracting the same scrutiny as semiconductor IP transfers. From a cryptographic security standpoint, the race to fault-tolerant quantum hardware has direct implications for the timeline at which current public-key infrastructure becomes vulnerable. Practitioners implementing PQC migration roadmaps should treat talent and investment flows in this space as signal, not noise — they're an indirect indicator of how seriously nation-state actors are taking the cryptographic endgame.


/dev/random

Researchers at Aleph Neuro are imaging the living human brain using ultrasound — not the fuzzy blob you'd expect, but surprisingly detailed structural scans achieved without the MRI machine, the magnet, or the seven-figure price tag. The technique exploits the same physics that lets you see a foetus at 12 weeks, just applied with considerably more signal processing sophistication to a skull that was specifically designed by evolution to block exactly this kind of intrusion. From a security researcher's perspective, the interesting angle is that ultrasound transducers are cheap, portable, and increasingly connected — and anything that can read neural activity at useful resolution will eventually attract people asking what else you could do with that data stream. Brainwave authentication was already a niche curiosity; non-contact cranial imaging moves some interesting threat models out of the realm of science fiction.