PTC Windchill PLM RCE is on KEV — shells still landing
PTC Windchill PDMLink and FlexPLM ship an unauth deserialization RCE. CISA added it to KEV on 2026-06-25. Unpatched instances are still catching JSP webshells.
The bug is a deserialization of untrusted data in PTC’s Windchill PDMLink and FlexPLM — the enterprise product data management and product lifecycle management platforms that sit behind CAD, bills of materials, and the release process at a lot of large industrial and defense manufacturers. NVD calls it CVE-2026-12569: CWE-20 (improper input validation) and CWE-502 (deserialization of untrusted data), CVSS 3.1 = 9.8, CVSS 4.0 = 9.3, no authentication, no user interaction, network-reachable. An unauthenticated attacker sends a crafted request; the server deserializes it and runs whatever they put in it.
CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-25. The federal-agency due date under BOD 26-04 was 2026-06-28. It is the first PTC product ever to land on KEV.
What is actually being hit
PTC’s initial warning went out on 2026-06-17. The first patch shipped 2026-06-18, and exploitation in the wild was confirmed the same day, per Help Net Security’s 2026-06-29 writeup. Germany’s BSI had already started telling companies to check their instances the week before. So the vendor advisory, the patch, and the “someone is already using this” call all landed in one 24-hour window.
The observed payload is JSP webshells written to /Windchill/login/[0-9a-f]{16}.jsp on the target — a random 16-character hex name under the login path so the file blends into whatever else is sitting in that directory. The Hacker News published a partial IOC set on 2026-06-26 that included command-and-control address 5.180.41.35 and a webshell SHA-256 of 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c. PTC’s customer advisory CS473270 (login required) has the current IOC set and detection guidance; the public trust-center posting is the closest thing to a canonical unauthenticated source.
Attribution has not been made public. Neither PTC nor CISA has named an actor, and there is no basis for guessing one from the shell path alone. The observation is “someone is dropping JSPs” — that is the observation.
Affected versions
Per NVD:
- Windchill PDMLink — up through 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0. All CPS versions in scope.
- FlexPLM — up through 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0. All CPS versions in scope.
That is a wide affected surface across a long deployment tail. Windchill installations sit for a decade in a lot of shops. It is not going to be one homogeneous fleet.
Why the PLM box is a bigger deal than it sounds
Windchill and FlexPLM are not what most infosec coverage calls “critical infrastructure.” They are not ICS. They are enterprise engineering software: they own the CAD files, the BOMs, the change orders, the release approvals — the paper trail for what physically gets built. In a lot of manufacturers, that pipeline flows straight into MES systems, then into the shop floor. Compromising the PLM is not the same as compromising the PLC. It is the layer above.
The immediate blast radius from the RCE itself is a webshell on the application server: code execution, data exfil, credential harvest, pivot. That is the pattern webshells drop for. The downstream reach — access to engineering IP, unreleased designs, supplier data, and in some environments the ability to alter released drawings — is why an unpatched instance is a bigger problem than the front-of-house label suggests. It is legacy enterprise middleware with real leverage on the physical layer, still running, still reachable.
That is the pattern the KEV catalog keeps re-teaching. See Adobe ColdFusion CVE-2026-48282 — another old, quiet, everywhere-and-nowhere enterprise box that turned up on KEV last week with a three-day patch mandate. See also SimpleHelp CVE-2026-48558, which sat past the federal deadline in largely the same way this one now has. And today’s KEV additions — Joomla components with the same class of unrestricted-upload profile — all of it is one long note that the boring, well-installed, well-forgotten enterprise product is where a lot of the actual exposure is.
What to do
Patch. PTC has designated fixed releases per version line — refer to CS473270 for the exact target for your build. If patching is not immediately possible, PTC and CISA guidance covers: perimeter WAF rules blocking requests carrying the X-windchill-req: header, log review for POST requests to /Windchill/login/*.jsp, filesystem scans for JSP files matching the shell path pattern, and — the one specific thing worth doing today if you can only do one — pulling the Windchill login endpoint off the public internet. The exploit needs no authentication and 260-plus bytes of ordinary-looking traffic. Every day a vulnerable instance is internet-reachable is a day it is a target of opportunity.
Found this useful? Share it.