CVE-2026-12569
Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Description
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
In plain language
AI Act nowCVE-2026-12569 is a critical security hole in PTC Windchill PDMlink and PTC FlexPLM that lets an attacker run code on your server over the network—no login required—so typical small businesses should treat it as urgent if those products are exposed to the internet.
CVE-2026-12569 is an unauthenticated remote code execution flaw in PTC Windchill PDMlink (and PTC FlexPLM) caused by unsafe deserialization of untrusted input, enabling arbitrary code execution via crafted network requests; it is confirmed in CISA KEV with real-world exploitation and web shell deployment reports.
What to do now
- Check whether you use PTC Windchill PDMlink or PTC FlexPLM and identify your installed version.
- If you run Windchill PDMlink, upgrade to version 11.0m030 or later.
- If upgrading isn’t immediately possible, follow the vendor’s mitigation instructions for CVE-2026-12569 and reduce exposure of the service (especially if it can be reached from the internet).
- Hunt for compromise indicators consistent with web shell activity and confirm the system has no unauthorized files or unexpected scheduled tasks after the update.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
- Week in review: SimpleHelp vulnerability exploited, Oracle EBS Payments flaw under attacken-us·Help Net Security·
- JSP webshells being dropped on unpatched PTC Windchill instancesen-us·Help Net Security·
- ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and Moreen·The Hacker News·
- CISA sets urgent deadline to fix Cisco flaw exploited in attacksen-us·BleepingComputer·
- CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continueen·The Hacker News·
- First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wilden-us·SecurityWeek·
- CISA Adds Cisco Unified CM and PTC Windchill Flaws to KEV Catalogen-us·Daily CyberSecurity (securityonline.info)· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-12569 and every CVE in our database. Create a free account — no credit card required.
Create Free Account