Skip to content
hacker_posts

PTC Windchill CVE-2026-12569 in CISA KEV — federal patch deadline June 28

CISA added the CVSS 10 deserialization RCE in Windchill PDMLink and FlexPLM to KEV on June 25. PTC ships patches, BSI repeats the alarm. Three days to act.

Published 4 min read
cveptckevadvisory

CISA added CVE-2026-12569 — an unauthenticated, deserialization-driven remote code execution flaw in PTC Windchill PDMLink and PTC FlexPLM — to the Known Exploited Vulnerabilities catalog on June 25, 2026, in the agency's two-CVE alert of the same day. Under BOD 26-04, federal civilian agencies have until June 28 — three days from KEV addition — to apply the vendor patch or pull the product offline. The bug scores 9.3 (CVSS 4.0) and 10.0 (CVSS 3.1).

What's affected

The vulnerability lives in the deserialization path of both Windchill PDMLink and FlexPLM. According to PTC's June advisory, the products are in scope at:

  • Windchill PDMLink 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0, and releases prior to 11.0 M030.
  • PTC FlexPLM across the same branches.

Both products are PLM platforms managing engineering data across aerospace, automotive, medical devices, electronics, fashion and footwear estates — the kind of system where a single web-tier RCE walks straight into design IP, BOMs and supplier portals.

The flaw

CVE-2026-12569 is improper input validation (CWE-20) leading to unsafe deserialization of attacker-supplied data. No authentication required. An unauthenticated remote attacker delivering a crafted request to the Windchill web tier executes arbitrary code in the context of the application user — full system compromise on a successful single shot.

Patches

PTC has shipped fixes across the supported branches. The vendor lists the upgrade targets in eSupport article CS473270; the named fixed builds in current circulation include:

  • Windchill 13.1.3.4
  • Windchill 13.1.2.8
  • Windchill 13.0.2.12
  • Windchill 12.1.2.27
  • Patches for 12.0.2 and 11.0 M030 branches are also available.

If you're on an unsupported branch — 11.1 M020 and below — there is no in-branch fix; the upgrade is the only path.

Exploitation status

PTC's advisory references "continued reports of heightened threat activity" and urges immediate patching. CISA's KEV addition is, by definition, based on evidence of in-the-wild exploitation. Germany's BSI issued a parallel critical alert on the same flaw — the second time this year a PTC Windchill RCE has triggered cross-Atlantic government warnings.

Action checklist

  1. Patch today. Pick the fixed build matching your branch from PTC eSupport CS473270 and roll it through. The federal deadline is June 28; for the rest of us, the exploitation window is already open.
  2. If you can't patch immediately, pull the Windchill web tier off any internet-facing or untrusted network. The flaw is pre-auth — IP allowlisting is the only mitigation that holds.
  3. Hunt for the documented IOCs in HTTP access logs and on disk (see block below). Legitimate Windchill traffic does not POST to /Windchill/login/*.jsp.
  4. If you find a hit, treat the host as compromised. Webshells in /Windchill/codebase/login/ mean the attacker has code execution and likely persistence — patching after the fact does not evict.
  5. Rotate any credentials, API tokens, and service accounts exposed to the Windchill application server. PLM platforms typically hold AD/SSO trust and ERP integration secrets in reach of the web tier.

Detection — webshell pattern

The pattern reported in PTC's customer guidance and reproduced in the BSI alert — webshells named with 16 lowercase hex characters and dropped under the Windchill login path:

# HTTP access log — any POST to a JSP under /Windchill/login/ is anomalous
POST /Windchill/login/[0-9a-f]{16}.jsp

# Filesystem — scan for matching webshells on disk
…/Windchill/codebase/login/[0-9a-f]{16}.jsp

New shell names rotate; the path and 16-hex pattern hold across observed campaigns. Operators should not treat these as exhaustive — PTC's eSupport article carries the live IOC list and is the authoritative reference.

Context

This is the second critical Windchill/FlexPLM RCE chain to detonate in 2026. In March, CVE-2026-4681 — the same product family, same deserialization class, same CVSS 10.0 — prompted Germany's BKA to deploy state police to admin homes at 2:45 AM on a Sunday to deliver the patch warning in person, as Heise reported at the time. Three months later, the same surface ships a second pre-auth RCE.

PLM platforms have been under-treated by the patch cadence of both IT and engineering teams for years; CVE-2026-12569 makes it the third KEV-listed enterprise application RCE this quarter to hit the seam between the two. If Windchill or FlexPLM is in scope and not on your asset register's monthly patch cycle, today is the day to fix that.

Related stories