U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM software to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active exploitation. The vulnerability, tracked as CVE 2026 12569 and assigned a CVSS score of 9.3, affects enterprise Product Data Management and Product Lifecycle Management platforms. CISA has directed Federal Civilian Executive Branch agencies to prioritize remediation, while security experts are urging all organizations using the affected products to immediately apply available security updates and review their environments for signs of compromise.
According to PTC, the security issue is caused by improper input validation that can be exploited through the deserialization of untrusted data. An attacker can send a specially crafted network request to execute arbitrary code on vulnerable systems, potentially gaining unauthorized access and deploying additional malicious tools. Although patches for the vulnerability were released last week, PTC disclosed on June 25 that it continues to receive reports of heightened threat activity involving the flaw. The company confirmed that unknown attackers are actively exploiting vulnerable Windchill deployments by installing JSP based web shells that provide persistent remote access to compromised servers. The continued attacks indicate that threat actors are moving quickly to target organizations that have not yet installed the available security updates.
To help organizations detect and respond to ongoing attacks, PTC has published a list of indicators of compromise associated with the campaign. These include the IP addresses 172.111.38.31, 216.152.148.54, 104.243.35.131, 74.50.76.146, and 5.180.41.35, with the latter identified as an attacker command and control address. The company also warned administrators to search for suspicious JSP web shell files following the naming pattern located under the Windchill login directory using 16 hexadecimal characters followed by the .jsp extension. Security teams have been advised to inspect HTTP access logs for POST requests targeting the Windchill login directory, verify suspicious JSP files against the published SHA 256 hash value, and check for the presence of a file named flst.txt in the temporary directory or Windchill working directory, as its presence may indicate attacker file listing activity during a compromise.
PTC has also recommended several defensive measures to reduce the risk of further exploitation. Organizations should immediately block communication with the identified malicious command and control server at the network perimeter, implement Web Application Firewall or Intrusion Detection System rules that block requests containing the X windchill req header, and restrict internet exposure of the Windchill login endpoint wherever operationally possible. These recommendations are intended to help security teams detect ongoing attacks while limiting additional unauthorized access attempts. The inclusion of CVE 2026 12569 in CISA’s Known Exploited Vulnerabilities catalog marks the first PTC product vulnerability to receive this designation. The development also highlights the speed at which threat actors are weaponizing newly disclosed enterprise software vulnerabilities, emphasizing the importance of timely patch management, continuous monitoring, and proactive threat detection to protect critical business systems from active exploitation.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
