What is PTC Windchill?
PTC Windchill (PDMLink) is the leading Product Lifecycle Management (PLM) platform, used by defense contractors, aerospace manufacturers, automotive OEMs, and industrial equipment makers to manage engineering designs, CAD files, bills of materials, and manufacturing processes. PTC FlexPLM is a Windchill variant targeting retail and apparel supply chain management.
Because Windchill instances store sensitive intellectual property — weapons system designs, aircraft schematics, proprietary manufacturing data — they are high-value targets for nation-state espionage, particularly from actors linked to defense industrial base targeting. CVE-2026-12569 marks the first documented case of a Windchill vulnerability being actively exploited in the wild.
Overview
CVE-2026-12569 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in PTC Windchill and FlexPLM. An unauthenticated remote attacker can send a specially crafted network request to execute arbitrary code on the server with no credentials and no user interaction required.
PTC released patches on June 18, 2026, the same day the CVE was published. CISA added the vulnerability to the KEV catalog one week later on June 25, 2026, with an unusually compressed three-day federal remediation deadline (June 28). JSP webshell deployments in Windchill's login directory were observed within 24 hours of the KEV addition. Germany's BSI began notifying affected German companies a day before public disclosure, suggesting early intelligence of active targeting.
Affected Versions
Patches are available for the following Windchill versions (per PTC advisory CS473270):
| Product | Vulnerable | Patched Version |
|---|---|---|
| Windchill PDMLink | Prior to 11.0 M030 patch | 11.0 M030 |
| Windchill PDMLink | Prior to 11.1 M020 patch | 11.1 M020 |
| Windchill PDMLink | Prior to 11.2.1 patch | 11.2.1 |
| Windchill PDMLink | Prior to 12.0.2 patch | 12.0.2 |
| Windchill PDMLink | Prior to 12.1.2 patch | 12.1.2 |
| Windchill PDMLink | Prior to 13.1.1 patch | 13.1.1 |
| FlexPLM | Prior to 11.0 M030 patch | 11.0 M030 |
Technical Details
The vulnerability combines CWE-20 (Improper Input Validation) with a deserialization attack path. An attacker sends a specially crafted serialized object to a vulnerable network endpoint. Windchill's application server deserializes the object without adequate validation, triggering arbitrary code execution in the context of the application server process.
Key attack characteristics:
- No authentication required: Full pre-auth exploitation — no credentials, no session
- Network exploitable: Reachable from any network-accessible host
- Low complexity: No special knowledge or environmental conditions required
- No user interaction: Triggered entirely server-side
Germany's Federal Office for Information Security (BSI) began notifying affected German companies on June 17, 2026 — one day before public disclosure — indicating early intelligence about active targeting of Windchill deployments.
Discovery
Positive Technologies documented the vulnerability under tracker PT-2026-50580, suggesting involvement in discovery or analysis. Formal discovery attribution has not been publicly confirmed in CISA or PTC advisories.
Exploitation Context
Active exploitation was confirmed within days of patch availability, representing the first documented exploitation of a Windchill vulnerability in the wild. Attackers deployed persistent JSP webshells into the /Windchill/login/ directory, using filenames composed of 16 lowercase hexadecimal characters. These webshells provide persistent remote command execution and data exfiltration capability that survives patching unless explicitly removed.
The compressed three-day CISA deadline (June 25 addition, June 28 deadline) and the BSI pre-disclosure notifications indicate that exploitation was actively occurring at the time of public disclosure. No specific threat actor has been publicly attributed, but targeting of a PLM platform used by defense contractors and aerospace manufacturers is consistent with nation-state intellectual property theft operations.
Remediation
- Apply patches immediately: Upgrade to the patched Windchill version for your release track (see Affected Versions table)
- Scan for webshells: Search the
/Windchill/login/directory (and subdirectories) for JSP files with 16-character lowercase hexadecimal names that were not deliberately deployed - Review server access logs: Look for POST requests to Windchill network endpoints from unexpected source IPs, particularly around June 18–28, 2026
- Restrict network access: If Windchill does not need to be internet-facing, place it behind a firewall or VPN — PLM systems rarely require direct internet exposure
- Audit for lateral movement: If webshells are found, treat the server as compromised; investigate what data was accessed and whether the attacker moved to adjacent systems
- Engage sector resources: CISA and relevant sector ISACs (Defense, Aerospace) are monitoring this campaign; report confirmed incidents via CISA's reporting portal
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-12569 |
| Vendor / Product | PTC — Windchill and FlexPLM |
| NVD Published | 2026-06-18 |
| NVD Last Modified | 2026-06-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-20 find similar ↗ |
| CISA KEV Added | 2026-06-25 |
| CISA KEV Deadline | 2026-06-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-17 | PTC warning issued; BSI begins notifying affected German companies |
| 2026-06-18 | Patches released; CVE published |
| 2026-06-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-06-26 | JSP webshell deployments observed in /Windchill/login/ |
| 2026-06-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| PTC Advisory CS473270 — Windchill/FlexPLM RCE Vulnerability | Vendor Advisory |
| NVD — CVE-2026-12569 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CISA Adds Exploited PTC Windchill RCE to KEV — The Hacker News | Security News |
| First-Ever Exploitation of PTC Windchill Vulnerability Discovered — SecurityWeek | Security News |
| PTC Windchill CVE-2026-12569 Exploited — Help Net Security | Security News |
| PTC Windchill Flaw Allows Unauthenticated RCE — Field Effect | Security Research |
| CISA Adds Cisco and PTC Windchill Flaws to KEV — Security Affairs | Security News |