cbcvebase.
CVE-2026-12569
published 2026-06-18

CVE-2026-12569: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-28
Exploited in the wild
EPSS
1.11%
61.7th percentile
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
ptcflexplm<= 11.0 M030
ptcflexplm<= 11.0m030
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcwindchill_pdmlink< 11.0m03011.0m030
ptcwindchill_pdmlink<= 11.0 M030
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink

Detection & IOCsextracted from sources · hover to see the quote

ip5.180.41.35
path/Windchill/login/[0-9a-f]{16}.jsp
hash55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
path/tmp/flst.txt
otherX-windchill-req:
  • Search HTTP access logs for POST requests to the Windchill login directory targeting JSP files, which indicates web shell interaction.
  • Scan the filesystem for dropped JSP web shells matching the 16-hex-character naming pattern under the Windchill login path.
  • Presence of flst.txt in /tmp or the Windchill working directory is a confirmed attacker artifact indicating file-listing activity.
  • Block or alert on any HTTP request containing the custom header X-windchill-req: at the WAF or IDS layer, as it is associated with exploit activity.
  • Block attacker C2 IP 5.180.41.35 at the perimeter firewall immediately.
  • The exploitation vector is deserialization of untrusted data via a malicious network request; monitor for anomalous deserialization activity on Windchill/FlexPLM endpoints.
  • Attackers are deploying JSP web shells against susceptible Windchill systems; hunt for newly created JSP files in the login directory.
  • ·The advisory applies to all CPS versions and also impacts Windchill and FlexPLM releases prior to 11.0 M030, broadening the affected scope beyond the main release branches.
  • ·The flaw affects all versions up to 11.0 and multiple versions of the 11.1, 11.2, 12.0, 12.1, and 13.0 release branches, meaning a wide range of deployments are vulnerable.
  • ·Restrict internet exposure of the Windchill login endpoint where operationally possible to reduce attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.