CISA added CVE-2026-12569, a critical remote code execution flaw in PTC's Windchill PDMLink and FlexPLM product lifecycle management (PLM) software, to its Known Exploited Vulnerabilities (KEV) catalog on 25 June 2026, with a 28 June 2026 remediation deadline for US federal agencies — the first PTC product flaw ever added to the catalog. PTC describes the flaw as allowing an unauthorised user to execute code remotely, and its own advisory makes clear this is not a hypothetical risk: attackers are actively exploiting it to plant webshells, and PTC reported continued elevated threat activity as recently as 25 June. PTC has been releasing patches and mitigations since 17 June.
What the flaw is
CVE-2026-12569 is a critical vulnerability in PTC Windchill PDMLink and FlexPLM, classified as improper input validation combined with deserialization of untrusted data (CWE-20 and CWE-502). According to SecurityWeek and the CVSS vector PTC assigned — which lists no privileges as required — the flaw can be exploited by a remote, unauthenticated attacker to execute arbitrary code via specially crafted requests; PTC scores it 9.3 on the CVSS 4.0 scale, in the Critical range, while the NVD has not yet published its own assessment. Windchill and FlexPLM are PLM platforms used to manage product data and development across manufacturing, engineering, retail, footwear, apparel and consumer-products businesses — systems that hold design files, bills of materials and supplier data, which makes them a high-value target.
In the observed attacks, exploitation leads to the deployment of persistent JSP webshells into the Windchill login directory, giving the attacker remote command execution on the server and a route to data exfiltration. This advisory describes the effect of the flaw and how to detect the resulting activity; the operational technique of the exploit itself is deliberately left out.
Active exploitation and a fast-moving patch timeline
This is a live, developing incident rather than a routine advisory. PTC began publishing remediation steps and patches on 17 June and released indicators of compromise the next day, warning that attackers were deploying persistent JSP webshells to enable remote command execution and data exfiltration. It has rolled out patches branch by branch since then and has been updating its Trust Center advisory daily. On 25 June, PTC reported continued elevated threat activity and urged customers to apply all patches and remediations immediately; the same day, CISA added the flaw to its KEV catalog — the first PTC vulnerability it has ever listed — with the 28 June federal deadline.
Authorities had been anticipating this. SecurityWeek notes that German police physically alerted companies in March about the risk posed by a different PTC Windchill vulnerability, before any exploitation was confirmed. The exploitation of CVE-2026-12569 is not attributed to a named threat actor, but PTC's reporting is specific about the behaviour, and the patch being available does not help instances that have not applied it — and, as below, applying it is necessary but not sufficient.
How to fix it, and how to detect compromise
Patch first. Identify your Windchill PDMLink or FlexPLM version against PTC's eSupport article CS473270, which carries the full affected-version list and remediation steps. Public CVE/NVD data indicates the issue affects releases prior to 11.0 M030 and listed versions across the 11.1, 11.2, 12.0, 12.1, 13.0 and 13.1 branches, so the correct action depends on your exact release. Instances hosted by PTC are being remediated by PTC directly, according to the vendor.
Then hunt, because webshells persist. A patch closes the entry point but does not remove a webshell that an earlier attack already planted, so any internet-reachable Windchill or FlexPLM instance should be checked for compromise. Drawing on the defensive indicators PTC publishes:
Search HTTP access logs for any POST request to a Windchill login path of the form
/Windchill/login/<16-hexadecimal-character>.jsp— legitimate Windchill traffic does not POST to this path, and the attacker names webshells using 16 lowercase hex characters, so new shells may appear under different names.Watch for the malicious request header
X-windchill-req, which PTC notes has no legitimate use in Windchill.Scan the application filesystem for unexpected
.jspfiles under the Windchill login/codebase directory, and check for aflst.txtfile in temporary or working directories, which PTC flags as a sign of attacker file-listing activity.Restrict internet exposure of the Windchill login endpoint where operationally possible.
PTC also publishes attacker command-and-control IP addresses to block and a webshell file hash to scan for. Because PTC is updating those indicators daily as new infrastructure appears, consult its advisory and eSupport article (CS473270) for the current list rather than relying on a static snapshot.
What it means for the region
PLM software is important infrastructure for manufacturing, electronics, apparel, footwear and supplier networks, including regional deployments across ASEAN. A compromised Windchill or FlexPLM server is not just an IT problem: it can expose design files, bills of materials and supplier data, and may provide a foothold into the wider environment. SecurityWeek notes that Windchill is widely deployed across industrial and manufacturing organisations — including automotive, aerospace, defence and heavy-machinery firms — which is what makes active exploitation a supply-chain and operational-technology concern as much as an IT one. The CISA deadline binds only US federal agencies, but a reachable, unpatched instance carries the same risk wherever it is deployed, and the action is the same: patch to the correct per-version release, then hunt for the webshell activity PTC describes.
Key Takeaways
CVE-2026-12569 is a critical remote code execution flaw in PTC Windchill PDMLink and FlexPLM (CWE-20 and CWE-502, deserialization of untrusted data); attackers are exploiting it to deploy JSP webshells, and PTC scores it 9.3 on the CVSS 4.0 scale.
CISA added it to the KEV catalog on 25 June 2026 — its first-ever PTC listing — with a 28 June 2026 federal deadline; PTC has been releasing patches since 17 June and updating its advisory daily.
It affects releases prior to 11.0 M030 and listed versions across the 11.1, 11.2, 12.0, 12.1, 13.0 and 13.1 branches — patch to the correct release per PTC's eSupport article CS473270.
Patching does not remove a webshell already planted; hunt for POSTs to
/Windchill/login/<16-hex>.jsp, theX-windchill-reqheader, unexpected.jspfiles andflst.txt, and consult PTC's advisory for the live C2 IP and hash indicators.