Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-12569

PTC Windchill PDMLink & FlexPLM unauthenticated RCE via untrusted deserialization

Unauthenticated remote code execution in PTC Windchill PDMLink and FlexPLM via untrusted-data deserialization. Added to CISA KEV 2026-06-25 with a three-day patch mandate. JSP webshells observed being dropped on unpatched instances.

cat cve-2026-12569.json
Vendor
PTC
Product
Windchill PDMLink and FlexPLM (see body for affected version ranges)
CVSS
9.8
EPSS (exploit probability)
1.2%
Status
kev
Published

An unauthenticated remote code execution flaw in PTC’s Windchill PDMLink and FlexPLM enterprise engineering platforms. NVD lists two weakness classes: CWE-20 (improper input validation) and CWE-502 (deserialization of untrusted data). NVD assigns CVSS 3.1 = 9.8 and CVSS 4.0 = 9.3. No authentication, no user interaction, network-reachable — the fastest possible profile to weaponize at scale.

Affected versions (per NVD):

  • Windchill PDMLink — up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0. All CPS versions in-scope.
  • FlexPLM — up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0. All CPS versions in-scope.

Timeline (per Help Net Security, June 29 2026):

  • 2026-06-17 — PTC issues initial warning with remediation guidance.
  • 2026-06-18 — First patch released. Exploitation in the wild confirmed.
  • 2026-06-25 — CISA adds it to KEV. First-ever PTC entry on the catalog.
  • 2026-06-28 — CISA due date for US federal civilian agencies.

Exploitation. Unknown threat actors observed dropping JSP webshells at path pattern /Windchill/login/[0-9a-f]{16}.jsp on compromised servers. The Hacker News (June 26) published a partial IOC list including C2 address 5.180.41.35 and file hash 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c. Full IOC set and vendor mitigation guidance live in PTC’s advisory, CS473270 (customer login required) and the public trust-center posting.

What to do. Patch to a PTC-designated fixed release for your version line — refer to the vendor advisory for the exact target. If patching is not immediately possible, PTC and CISA guidance also cover perimeter blocks (WAF rules on the X-windchill-req: header), log review for POST requests to /Windchill/login/*.jsp, filesystem scans for matching JSP files, and reducing internet exposure of the Windchill login endpoint.

Sources. NVD CVE-2026-12569 · CISA KEV entry · PTC trust-center advisory · The Hacker News, 2026-06-26 · Help Net Security, 2026-06-29