The week in cyber — 24 to 28 June 2026

Cisco phone systems, an engineering PLM vault and the Linux kernel each turned into a route to root in the same week — against a CISA patch deadline that fell on Sunday.

Three things from the past working week that a UK board should know about, in the order I would raise them if I had ten minutes with a chair over coffee on Monday. The week was not short of noise, but the through-line was unusually plain: the unglamorous infrastructure underneath the business had a bad five days, and a US federal patch deadline fell on the Sunday just gone. Each item below has a decision attached, which is the only reason it survived the cut.

1. Your phone system became an unauthenticated route to root, and the clock ran out on Sunday

On 25 June, CISA added two flaws to its Known Exploited Vulnerabilities catalogue and gave US federal agencies until 28 June — yesterday — to fix them. The one most likely to sit in a UK estate is CVE-2026-20230, a server-side request forgery flaw in Cisco Unified Communications Manager, the platform that runs a great many corporate phone systems. Researchers began seeing exploitation over the weekend of 21–22 June, after a proof of concept showed the bug could be used to write files to the underlying operating system and, from there, escalate to root. The mitigating detail worth knowing is that exploitation requires the WebDialer service to be enabled, and WebDialer is off by default.

For boards. The question is not "are we patched" in the abstract, but "does anyone own the telephony estate as a security asset?" Unified communications kit tends to live in a grey zone between IT and facilities, rarely inventoried with the same discipline as servers. Ask who is accountable for it, whether WebDialer is enabled anywhere, and whether it was patched against a deadline that has already passed.

2. An engineering vault full of product designs is being shelled in the wild

The second flaw CISA listed on the same day is CVE-2026-12569, a critical remote code execution bug, rated 9.3, in PTC's Windchill and FlexPLM. These are product lifecycle management systems — the place manufacturers and engineering firms keep their designs, specifications and supplier data. PTC confirmed on 25 June that it had received continued reports of heightened threat activity, with attackers dropping JSP web shells to run commands and steal data. Security researchers describe it as the first time this class of Windchill flaw has been exploited in the wild, and patches are available for the affected versions.

For boards. If you make physical things, your PLM system holds the crown jewels — the intellectual property a competitor or a state actor would most like to copy. It is also the kind of system that gets stood up by an engineering team, wired into suppliers, and then forgotten by security. Ask whether you run Windchill or FlexPLM, whether it faces the internet, and whether the design data inside it would be recoverable and provably untouched if someone had shelled it last week.

3. A new Linux kernel flaw turns a local user into root, and leaves nothing on disk

On 25 June, researchers at JFrog published a working exploit chain for DirtyClone, tracked as CVE-2026-43503 — a local privilege escalation flaw in the Linux kernel, in the lineage of Dirty COW and Dirty Pipe. An unprivileged user can corrupt kernel memory through cloned network packets and escalate to root, and Debian and Fedora are vulnerable in their default configurations because they enable unprivileged user namespaces. There is no confirmed exploitation in the wild yet, but JFrog's write-up is detailed enough to reproduce, and two properties make it nasty: in a multi-tenant cloud or container host it lets an attacker break out of one tenant and reach the rest, and because it tampers with the in-memory copy of a file rather than the file on disk, integrity-monitoring tools that hash binaries will report everything as clean.

For boards. This is less a "patch tonight" item than a "know your exposure" one. Ask whether your hosting — your own estate or your provider's — runs shared Linux hosts where one compromised workload could reach the others, and whether your detection would notice a root escalation that never writes to disk. If the honest answer to the second question is "we would rely on the file-integrity tool," that tool would not have seen this.

The thread that ties this together

Three different systems, one shape. A phone platform, an engineering vault and the kernel under your cloud are not the assets that lead a risk register, yet each spent the week as a live route to the most privileged access on the box. The reason this matters now rather than abstractly is sitting one news cycle back: the ShinyHunters campaign that exploited an unpatched Oracle PeopleSoft zero-day, CVE-2026-35273, earlier this month, in which the University of Nottingham has confirmed a breach exposing the records of around 454,000 students. That is what an unpatched, internet-facing enterprise application costs once someone reaches it first. CISA's deadline for the Cisco and PTC flaws was yesterday; the attackers did not wait for it. So the question to carry into next week is the uncomfortable one: of the systems that never make your board pack — the telephony, the PLM, the shared hosts under your applications — which would you learn about only when the data turned up on a leak site?