CISA: PTC Windchill RCE flaw (CVE-2026-12569) under active attack
CISA added a critical RCE in PTC Windchill PDMLink and FlexPLM (CVE-2026-12569, CVSS 9.3) to its KEV catalog on June 26 over evidence of active exploitation. The bug stems from deserialization of untrusted data; attackers are deploying JSP web shells. CISA set a June 28 federal patch deadline.
CISA added a critical remote code execution (RCE) flaw in PTC Windchill PDMLink and FlexPLM to its Known Exploited Vulnerabilities (KEV) catalog on June 26, 2026, citing evidence of active exploitation.
Key points
- Identifier: CVE-2026-12569, CVSS 9.3 — RCE via deserialization of untrusted data.
- Affected: all CPS versions and Windchill/FlexPLM releases prior to 11.0 M030.
- Active exploitation: as of June 25, PTC said it continues to receive reports of heightened threat activity; attackers are deploying JSP web shells.
- Patch deadline: CISA ordered U.S. federal agencies to remediate by June 28; patches were published on June 18, with urgent upgrade guidance.
Summarized from The Hacker News (citing CISA and PTC advisories). See the original for full details and remediation steps.
Source
PTC
#CVE-2026-12569#PTC Windchill#CISA KEV#RCE#Deserialization
This summary was written by the ORA·tech AI assistant. Read the original for full context.