CVE Tools

CVE-2026-12569

Remote Code Execution (RCE) vulnerability in Windchill PDMlink

Published: Jun 18, 2026Updated: Jun 30, 2026 Sources: CVE List NVDCWE-20

Description

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

In plain language

AI Act now

CVE-2026-12569 is a critical security hole in PTC Windchill PDMlink and PTC FlexPLM that lets an attacker run code on your server over the network—no login required—so typical small businesses should treat it as urgent if those products are exposed to the internet.

Executive summary

CVE-2026-12569 is an unauthenticated remote code execution flaw in PTC Windchill PDMlink (and PTC FlexPLM) caused by unsafe deserialization of untrusted input, enabling arbitrary code execution via crafted network requests; it is confirmed in CISA KEV with real-world exploitation and web shell deployment reports.

If affected, business impact
Full server takeoverWeb shell persistenceData theft and damageService disruption

What to do now

  1. Check whether you use PTC Windchill PDMlink or PTC FlexPLM and identify your installed version.
  2. If you run Windchill PDMlink, upgrade to version 11.0m030 or later.
  3. If upgrading isn’t immediately possible, follow the vendor’s mitigation instructions for CVE-2026-12569 and reduce exposure of the service (especially if it can be reached from the internet).
  4. Hunt for compromise indicators consistent with web shell activity and confirm the system has no unauthorized files or unexpected scheduled tasks after the update.
Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

PTC
commercial·USaka kepware kepserverex, thingworx industrial connectivity, thingworx kepware server
and 2 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Jun 25, 2026
Remediation due:Jun 28, 2026

Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

3 techniques
Execution
Initial Access
View detailed technique mapping

References

7

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-12569 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows