- What: CVE-2026-12569, a critical (CVSS 9.3) remote code execution flaw in PTC Windchill caused by deserialization of untrusted data, was added to CISA's Known Exploited Vulnerabilities catalog on June 25, 2026.
- Impact: Attackers are dropping JSP web shells on exposed Windchill systems for full remote code execution. PTC reports heightened threat activity and has published attacker C2 IPs and web-shell indicators.
- Fix / mitigation: Patch immediately (PTC shipped fixes the week of June 25), block the published C2 IPs, hunt for the web-shell pattern, and take Windchill login endpoints off the public internet.
- Who's at risk: Manufacturers, engineering firms, and their suppliers running PTC Windchill PDMlink or FlexPLM, the product-data and lifecycle systems that hold their design and BOM crown jewels.
On June 25, 2026, CISA added CVE-2026-12569 to its Known Exploited Vulnerabilities catalog. The vulnerability is a critical, CVSS 9.3 remote code execution flaw in PTC Windchill, and it carries a notable first: it is the first PTC product ever to land on the KEV list. For federal agencies and contractors, that listing starts the BOD 22-01 remediation clock immediately.
The root cause, per PTC's advisory, is deserialization of untrusted data, a class of bug that hands an attacker code execution when an application rebuilds objects from input it should not trust. It affects PTC's enterprise product-data and lifecycle platforms, Windchill PDMlink and FlexPLM, the systems manufacturers use to manage CAD files, bills of materials, and the full design history of their products.
Why a PLM bug is a serious problem
Windchill is not a flashy target, and that is exactly why it is a valuable one. Product Lifecycle Management systems sit at the center of a manufacturer's intellectual property: product designs, engineering change orders, supplier data, and bills of materials. A web shell on a Windchill server is a foothold inside the part of the business that defines what the company actually makes. For defense, aerospace, automotive, and industrial suppliers, that is a textbook espionage objective, and the same access supports ransomware staging just as easily.
Deserialization RCE on an internet-reachable enterprise app is the most reliable kind of initial access there is: no user interaction, no phishing, just a request to an exposed endpoint. CVE-2026-12569 joining the KEV catalog within days of disclosure tells you the weaponization window has collapsed to near zero.
Indicators of compromise
PTC published concrete indicators alongside its advisory. Hunt for these now, even if you have already patched:
- Web shells written to the pattern
/Windchill/login/[0-9a-f]{16}.jsp(a 16-character hex filename under the login path) - POST requests in HTTP logs to
/Windchill/login/*.jsp - Attacker command-and-control traffic, including the IP
5.180.41.35, which PTC recommends blocking at the firewall (one of five published C2 addresses) - A suspicious JSP with hash
55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c - A dropped
flst.txtfile in/tmpor the Windchill working directory - Requests carrying an
X-windchill-req:header, which can be blocked at a WAF or IDS
Because exploitation is already happening and web shells persist independently of the vulnerable code, applying the patch does not evict an attacker who is already in. Treat any unpatched, internet-exposed Windchill instance as potentially compromised: patch, then hunt for the indicators above and inspect the login directory for unexpected JSP files before you call it closed.
CVE-2026-12569 is tracked in the RedEye CVE Index, and the web-shell and C2 indicators above map cleanly to detection logic: POSTs to /Windchill/login/*.jsp, the X-windchill-req header, and traffic to the published C2 IPs. Those are exactly the events the RedEye Intel Feed ships, so a Windchill exploitation attempt becomes a fired alert rather than a forensic discovery.
What to do now
- Patch Windchill immediately. PTC released fixes the week of June 25. Federal agencies and contractors are on the BOD 22-01 clock; everyone else should treat this as same-day.
- Get login endpoints off the public internet. Put Windchill behind a VPN or reverse proxy with access control, and segment it from the rest of the network. PLM systems do not belong on the open internet.
- Block and hunt. Block the published C2 IPs, add a WAF rule for the
X-windchill-reqheader, and search HTTP logs and the filesystem for the web-shell indicators above. - Assume breach if you were exposed. Any unpatched, internet-facing instance should be triaged as a potential active incident, not just a patch ticket.
Is your Windchill, or anything like it, exposed?
RedEye Security helps manufacturers and their suppliers find internet-facing enterprise apps, ship detections for active campaigns, and turn KEV-listed CVEs into alerts instead of incidents.
Talk to usSource: The Hacker News, "CISA Adds Exploited PTC Windchill RCE Flaw to KEV Catalog", plus PTC and CISA advisories.