CVE-2026-12569
published 2026-06-18CVE-2026-12569: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-28
Exploited in the wild
EPSS
1.11%
61.7th percentile
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ptc | flexplm | <= 11.0 M030 | — |
| ptc | flexplm | <= 11.0m030 | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | windchill_pdmlink | < 11.0m030 | 11.0m030 |
| ptc | windchill_pdmlink | <= 11.0 M030 | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Search HTTP access logs for POST requests to the Windchill login directory targeting JSP files, which indicates web shell interaction. ↗
- →Scan the filesystem for dropped JSP web shells matching the 16-hex-character naming pattern under the Windchill login path. ↗
- →Presence of flst.txt in /tmp or the Windchill working directory is a confirmed attacker artifact indicating file-listing activity. ↗
- →Block or alert on any HTTP request containing the custom header X-windchill-req: at the WAF or IDS layer, as it is associated with exploit activity. ↗
- →Block attacker C2 IP 5.180.41.35 at the perimeter firewall immediately. ↗
- →The exploitation vector is deserialization of untrusted data via a malicious network request; monitor for anomalous deserialization activity on Windchill/FlexPLM endpoints. ↗
- →Attackers are deploying JSP web shells against susceptible Windchill systems; hunt for newly created JSP files in the login directory. ↗
- ·The advisory applies to all CPS versions and also impacts Windchill and FlexPLM releases prior to 11.0 M030, broadening the affected scope beyond the main release branches. ↗
- ·The flaw affects all versions up to 11.0 and multiple versions of the 11.1, 11.2, 12.0, 12.1, and 13.0 release branches, meaning a wide range of deployments are vulnerable. ↗
- ·Restrict internet exposure of the Windchill login endpoint where operationally possible to reduce attack surface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
PTC Windchill PDMLink/FlexPLM up to 13.1.3.0 input validation (WID-SEC-2026-1991)
vuldb·2026-06-25·CVSS 9.3
CVE-2026-12569 [CRITICAL] PTC Windchill PDMLink/FlexPLM up to 13.1.3.0 input validation (WID-SEC-2026-1991)
A vulnerability, which was classified as critical, has been found in PTC Windchill PDMLink and FlexPLM up to 13.1.3.0. This affects an unknown part. This manipulation causes improper input validation.
This vulnerability is handled as CVE-2026-12569. The attack can be initiated remotely. Additionally, an exploit exists.
It is advisable to upgrade the affected component.
GHSA
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM.
ghsa_unreviewed·2026-06-18
CVE-2026-12569 [CRITICAL] CWE-20 A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM.
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
CVEList
Remote Code Execution (RCE) vulnerability in Windchill PDMlink
cvelistv5·2026-06-18·CVSS 9.3
CVE-2026-12569 [CRITICAL] CWE-20 Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Remote Code Execution (RCE) vulnerability in Windchill PDMlink
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
VulnCheck
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
vulncheck·2026·CVSS 9.3
CVE-2026-12569 [CRITICAL] CWE-20 PTC Windchill and FlexPLM Improper Input Validation Vulnerability
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.
Affected: PTC Windchill and FlexPLM
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guide
CISA
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
cisa·2026-06-25·CVSS 9.3
CVE-2026-12569 [CRITICAL] CWE-20 PTC Windchill and FlexPLM Improper Input Validation Vulnerability
Vulnerability: PTC Windchill and FlexPLM Improper Input Validation Vulnerability
Affected: PTC Windchill and FlexPLM
PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More
blogs_hackernews·2026-06-29·CVSS 8.8
CVE-2026-43503 [HIGH] ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More
This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open.
The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting.
Here’s the full Monday recap.
## ⚡ Threat of the Week
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets — Cybersecurity researchers detailed a new variant of the Dirty Frag Linux kernel flaw. Called DirtyClone (
Bleepingcomputer
CISA sets urgent deadline to fix Cisco flaw exploited in attacks
blogs_bleepingcomputer·2026-06-26·CVSS 9.8
CVE-2026-20230 [CRITICAL] CISA sets urgent deadline to fix Cisco flaw exploited in attacks
## CISA sets urgent deadline to fix Cisco flaw exploited in attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is giving federal agencies until Sunday to patch a vulnerability in Cisco Unified Communications Manager Server that is being actively exploited.
Identified as CVE-2026-20230, the security issue is server-side request forgery (SSRF) and has been added to the agency's catalog of Known Exploited Vulnerabilities (KEV).
Per Binding Operational Directive (BOD) 26-04 , the remediation is deemed urgent and must addressed by Sunday, June 28.
Cisco marked CVE-2026-20230 with critical severity and released a patch on June 3, warning that it could be exploited remotely and without authentication via specially crafted HTTP requests.
At the time, the
Hackernews
CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2026-12569 [CRITICAL] CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request
2026-06-18
Published
2026-06-25
Added to CISA KEV
Exploited in the wild