The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical remote code execution vulnerability in PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited in the wild. Tracked as CVE-2026-12569 with a CVSS score of 9.3, the vulnerability stems from improper input validation and insecure deserialization, allowing attackers to execute arbitrary code via specially crafted network requests.
Security researchers and vendor advisories indicate that attackers are already leveraging the flaw to deploy JSP web shells on vulnerable systems, giving them persistent remote access to compromised environments. PTC confirmed that despite patches released earlier in the month, exploitation attempts have continued, with increased threat activity observed as of June 25. The attacks typically target exposed enterprise deployments of Windchill, a widely used product lifecycle management platform in manufacturing and engineering environments.
The campaign relies on placing malicious JSP files into Windchill directories using predictable naming patterns, enabling attackers to establish long-term footholds inside enterprise systems. Indicators of compromise include suspicious IP addresses, such as known command-and-control infrastructure, as well as web shell file paths under /Windchill/login/ and anomalous HTTP POST requests targeting those endpoints. Security teams are also advised to look for signs of file enumeration activity and unauthorized log access artifacts that may indicate system compromise.
CISA’s inclusion of this vulnerability in the KEV catalog underscores the rapid pace at which enterprise software flaws are being weaponized following public disclosure. Organizations using affected PTC products are strongly urged to apply vendor patches immediately, restrict public exposure of Windchill services, and actively hunt for indicators of compromise within logs and file systems to detect potential intrusions.
