PTC Windchill PDMLink & FlexPLM unauthenticated RCE via untrusted deserialization
Unauthenticated remote code execution in PTC Windchill PDMLink and FlexPLM via untrusted-data deserialization. Added to CISA KEV 2026-06-25 with a three-day patch mandate. JSP webshells observed being dropped on unpatched instances.
- Vendor
- PTC
- Product
- Windchill PDMLink and FlexPLM (see body for affected version ranges)
- CVSS
- 9.8
- EPSS (exploit probability)
- 1.2%
- Status
- kev
- Published
An unauthenticated remote code execution flaw in PTC’s Windchill PDMLink and FlexPLM enterprise engineering platforms. NVD lists two weakness classes: CWE-20 (improper input validation) and CWE-502 (deserialization of untrusted data). NVD assigns CVSS 3.1 = 9.8 and CVSS 4.0 = 9.3. No authentication, no user interaction, network-reachable — the fastest possible profile to weaponize at scale.
Affected versions (per NVD):
- Windchill PDMLink — up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0. All CPS versions in-scope.
- FlexPLM — up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0. All CPS versions in-scope.
Timeline (per Help Net Security, June 29 2026):
- 2026-06-17 — PTC issues initial warning with remediation guidance.
- 2026-06-18 — First patch released. Exploitation in the wild confirmed.
- 2026-06-25 — CISA adds it to KEV. First-ever PTC entry on the catalog.
- 2026-06-28 — CISA due date for US federal civilian agencies.
Exploitation. Unknown threat actors observed dropping JSP webshells at path pattern /Windchill/login/[0-9a-f]{16}.jsp on compromised servers. The Hacker News (June 26) published a partial IOC list including C2 address 5.180.41.35 and file hash 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c. Full IOC set and vendor mitigation guidance live in PTC’s advisory, CS473270 (customer login required) and the public trust-center posting.
What to do. Patch to a PTC-designated fixed release for your version line — refer to the vendor advisory for the exact target. If patching is not immediately possible, PTC and CISA guidance also cover perimeter blocks (WAF rules on the X-windchill-req: header), log review for POST requests to /Windchill/login/*.jsp, filesystem scans for matching JSP files, and reducing internet exposure of the Windchill login endpoint.
Sources. NVD CVE-2026-12569 · CISA KEV entry · PTC trust-center advisory · The Hacker News, 2026-06-26 · Help Net Security, 2026-06-29