CISA Adds PTC Windchill RCE Vulnerability to KEV After Active Web Shell Attacks
6 min. read 
Published on
CISA has added CVE-2026-12569, a critical remote code execution vulnerability in PTC Windchill PDMLink and PTC FlexPLM, to its Known Exploited Vulnerabilities catalog after confirmed real-world attacks.
The flaw affects enterprise product data management and product lifecycle management software used by manufacturers and large organizations to manage design, engineering, and supply chain data. According to the PTC security notice, the issue can let an unauthorized attacker execute code remotely.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The CISA KEV catalog now lists the vulnerability as actively exploited, which means affected organizations should treat it as an urgent patching and incident response priority. The NVD entry describes the weakness as a remote code execution issue that may be exploited through deserialization of untrusted data.
What Happened
PTC first disclosed CVE-2026-12569 in June 2026 and later updated its advisory after receiving continued reports of heightened threat activity. The company says attackers are deploying JSP web shells on vulnerable Windchill systems, giving them a way to run commands and potentially maintain access.
The threat activity is serious because Windchill and FlexPLM often sit close to sensitive business information. A successful attack could expose product files, engineering records, internal workflows, and other data that companies rely on for daily operations.
PTC has urged customers to apply all patches and remediation steps immediately through its support channels. The company also says PTC-hosted Windchill or FlexPLM instances are being remediated on customers’ behalf, with direct follow-up if extra action is required.
Why CVE-2026-12569 Is Considered Critical
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-12569 |
| Affected products | PTC Windchill PDMLink and PTC FlexPLM |
| Vulnerability type | Improper input validation and deserialization of untrusted data |
| Impact | Remote code execution |
| CVSS score | PTC CVSS 4.0 score of 9.3, with NVD also listing a CVSS 3.1 score of 9.8 |
| Exploitation status | Active exploitation reported |
The vulnerability can be triggered over the network and does not require user interaction, according to the scoring details listed in the NVD vulnerability record. That combination makes it easier for attackers to target exposed systems at scale.
PTC says the issue affects multiple Windchill PDMLink and FlexPLM releases, including all CPS versions and releases prior to 11.0 M030. Organizations should check the full affected version list in official support guidance rather than relying only on product family names.
CISA’s listing also places the bug under the federal remediation process tied to BOD 26-04, which prioritizes fixes based on exploitation, exposure, automation potential, and technical impact.
Known Indicators of Compromise
PTC has published several indicators that defenders should review immediately. These include attacker infrastructure, web shell paths, suspicious request headers, and file artifacts linked to the ongoing exploitation activity.
- 172.111.38.31
- 216.152.148.54
- 104.243.35.131
- 74.50.76.146
- 5.180.41.35
- Web shell files matching /Windchill/login/[0-9a-f]{16}.jsp
- Suspicious request header: X-windchill-req:
- Possible flst.txt file in /tmp or the Windchill working directory
The PTC advisory also warns defenders not to rely only on the known web shell filenames. Attackers may create new JSP web shells using the same 16-character lowercase hexadecimal naming pattern.
That makes log review and file system scanning important even after patching. If attackers already placed a web shell on a server, applying a fix alone may not remove the attacker’s access.
What Administrators Should Do Now
Organizations running Windchill or FlexPLM should move quickly from patching to compromise assessment. The KEV listing signals that this is no longer a theoretical risk.
- Apply PTC patches and remediation steps immediately.
- Block 5.180.41.35 at the perimeter firewall.
- Search HTTP access logs for POST requests to /Windchill/login/*.jsp.
- Scan the Windchill login directory for JSP files with 16 lowercase hexadecimal characters.
- Check suspicious JSP files against the SHA-256 hash published by PTC.
- Look for flst.txt in /tmp or the Windchill working directory.
- Add WAF or IDS rules blocking requests containing the X-windchill-req: header.
- Restrict internet exposure of the Windchill login endpoint where possible.
Security teams should also review endpoint detection alerts, reverse proxy logs, web server logs, and outbound network connections from Windchill application servers. Any evidence of web shell execution should trigger incident response, not just routine patch management.
Federal civilian agencies must follow CISA’s risk-based remediation guidance, but private companies should use the Known Exploited Vulnerabilities catalog as a high-confidence warning that attackers are already using the flaw in the wild.
Why the KEV Listing Matters Beyond Government Systems
KEV additions often influence enterprise patching priorities because they identify vulnerabilities with confirmed exploitation. For security teams with large backlogs, that distinction matters more than severity scores alone.
In this case, the risk is especially high because the vulnerability affects systems that may store valuable product and engineering data. Attackers who compromise a PLM environment may gain access to intellectual property, supplier information, and internal operational records.
The newer risk-based update directive also reflects a broader shift in vulnerability management. Organizations increasingly need to prioritize bugs that are exposed, easy to exploit, actively targeted, and capable of giving attackers deep system access.
Response Checklist
| Priority | Action | Reason |
|---|---|---|
| Immediate | Apply PTC remediation steps | Reduces exposure to active exploitation |
| Immediate | Block known attacker IPs | Helps disrupt known command and control activity |
| High | Search for JSP web shells | Identifies possible persistence on compromised servers |
| High | Review POST requests to Windchill login paths | Finds suspicious web shell interaction |
| High | Restrict public access to login endpoints | Limits future exploitation attempts |
Organizations should not wait for public proof-of-concept code before acting. PTC has already reported exploitation activity, and CISA has added the vulnerability to KEV based on evidence of active abuse.
The safest response is to patch, hunt for compromise, and reduce unnecessary exposure of Windchill and FlexPLM systems. For environments that handle sensitive manufacturing or product data, security teams should also consider a wider review of accounts, logs, and outbound traffic after remediation.
FAQ
CVE-2026-12569 is a critical remote code execution vulnerability affecting PTC Windchill PDMLink and PTC FlexPLM. It may be exploited through deserialization of untrusted data.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog because there is evidence that attackers are exploiting it in real-world attacks.
The vulnerability affects PTC Windchill PDMLink and PTC FlexPLM. Administrators should check PTC support guidance for the exact affected versions and required remediation steps.
PTC says attackers are deploying JSP web shells in the Windchill login directory. These web shells can help attackers run commands and maintain access on vulnerable systems.
Administrators should apply PTC patches and remediation steps immediately, then hunt for signs of compromise such as suspicious JSP files, POST requests to Windchill login paths, and known attacker IP addresses.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages