CVE-2026-12569 — PTC Windchill and FlexPLM Improper Input Validation Vulnerability

CVE-2026-12569

PTC Windchill / FlexPLM — Unauthenticated Pre-Auth Remote Code Execution via Deserialization

What is PTC Windchill?

PTC Windchill (PDMLink) is the leading Product Lifecycle Management (PLM) platform, used by defense contractors, aerospace manufacturers, automotive OEMs, and industrial equipment makers to manage engineering designs, CAD files, bills of materials, and manufacturing processes. PTC FlexPLM is a Windchill variant targeting retail and apparel supply chain management.

Because Windchill instances store sensitive intellectual property — weapons system designs, aircraft schematics, proprietary manufacturing data — they are high-value targets for nation-state espionage, particularly from actors linked to defense industrial base targeting. CVE-2026-12569 marks the first documented case of a Windchill vulnerability being actively exploited in the wild.

Overview

CVE-2026-12569 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in PTC Windchill and FlexPLM. An unauthenticated remote attacker can send a specially crafted network request to execute arbitrary code on the server with no credentials and no user interaction required.

PTC released patches on June 18, 2026, the same day the CVE was published. CISA added the vulnerability to the KEV catalog one week later on June 25, 2026, with an unusually compressed three-day federal remediation deadline (June 28). JSP webshell deployments in Windchill's login directory were observed within 24 hours of the KEV addition. Germany's BSI began notifying affected German companies a day before public disclosure, suggesting early intelligence of active targeting.

Affected Versions

Patches are available for the following Windchill versions (per PTC advisory CS473270):

Product Vulnerable Patched Version
Windchill PDMLink Prior to 11.0 M030 patch 11.0 M030
Windchill PDMLink Prior to 11.1 M020 patch 11.1 M020
Windchill PDMLink Prior to 11.2.1 patch 11.2.1
Windchill PDMLink Prior to 12.0.2 patch 12.0.2
Windchill PDMLink Prior to 12.1.2 patch 12.1.2
Windchill PDMLink Prior to 13.1.1 patch 13.1.1
FlexPLM Prior to 11.0 M030 patch 11.0 M030

Technical Details

The vulnerability combines CWE-20 (Improper Input Validation) with a deserialization attack path. An attacker sends a specially crafted serialized object to a vulnerable network endpoint. Windchill's application server deserializes the object without adequate validation, triggering arbitrary code execution in the context of the application server process.

Key attack characteristics:

  • No authentication required: Full pre-auth exploitation — no credentials, no session
  • Network exploitable: Reachable from any network-accessible host
  • Low complexity: No special knowledge or environmental conditions required
  • No user interaction: Triggered entirely server-side

Germany's Federal Office for Information Security (BSI) began notifying affected German companies on June 17, 2026 — one day before public disclosure — indicating early intelligence about active targeting of Windchill deployments.

Discovery

Positive Technologies documented the vulnerability under tracker PT-2026-50580, suggesting involvement in discovery or analysis. Formal discovery attribution has not been publicly confirmed in CISA or PTC advisories.

Exploitation Context

Active exploitation was confirmed within days of patch availability, representing the first documented exploitation of a Windchill vulnerability in the wild. Attackers deployed persistent JSP webshells into the /Windchill/login/ directory, using filenames composed of 16 lowercase hexadecimal characters. These webshells provide persistent remote command execution and data exfiltration capability that survives patching unless explicitly removed.

The compressed three-day CISA deadline (June 25 addition, June 28 deadline) and the BSI pre-disclosure notifications indicate that exploitation was actively occurring at the time of public disclosure. No specific threat actor has been publicly attributed, but targeting of a PLM platform used by defense contractors and aerospace manufacturers is consistent with nation-state intellectual property theft operations.

Remediation

  1. Apply patches immediately: Upgrade to the patched Windchill version for your release track (see Affected Versions table)
  2. Scan for webshells: Search the /Windchill/login/ directory (and subdirectories) for JSP files with 16-character lowercase hexadecimal names that were not deliberately deployed
  3. Review server access logs: Look for POST requests to Windchill network endpoints from unexpected source IPs, particularly around June 18–28, 2026
  4. Restrict network access: If Windchill does not need to be internet-facing, place it behind a firewall or VPN — PLM systems rarely require direct internet exposure
  5. Audit for lateral movement: If webshells are found, treat the server as compromised; investigate what data was accessed and whether the attacker moved to adjacent systems
  6. Engage sector resources: CISA and relevant sector ISACs (Defense, Aerospace) are monitoring this campaign; report confirmed incidents via CISA's reporting portal

Key Details

PropertyValue
CVE ID CVE-2026-12569
Vendor / Product PTC — Windchill and FlexPLM
NVD Published2026-06-18
NVD Last Modified2026-06-30
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-20 find similar ↗
CISA KEV Added2026-06-25
CISA KEV Deadline2026-06-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-06-28. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA's "Forensics Triage Requirements" (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-17PTC warning issued; BSI begins notifying affected German companies
2026-06-18Patches released; CVE published
2026-06-25Added to CISA Known Exploited Vulnerabilities catalog
2026-06-26JSP webshell deployments observed in /Windchill/login/
2026-06-28CISA BOD 22-01 remediation deadline