Security Intelligence
Loading table of contents...
At a glance: CISA added CVE‑2026‑12569 to its Known Exploited Vulnerabilities catalog on June 25, 2026 after confirming active exploitation of PTC Windchill and FlexPLM systems. The vulnerability enables unauthenticated remote code execution and is being used to deploy web shells, creating persistent access into engineering and manufacturing environments. Organizations running exposed or unsegmented PLM platforms face risk of intellectual property exposure, operational disruption, and lateral movement into broader enterprise systems.
Threat summary
On June 25, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting PTC Windchill Product Lifecycle Management (PLM) and PTC FlexPLM to its Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation in the wild. This development represents a shift for these platforms, which are now being actively targeted by threat actors operating across engineering, manufacturing, and retail supply chain environments.
Windchill is a product lifecycle management platform used to manage product data, engineering workflows, and manufacturing processes within a centralized, web-based environment. These systems store intellectual property, design documentation, and supply chain data, which increases their value as targets when exposed to external networks or integrated into broader enterprise infrastructure. Deployments are common in aerospace, automotive, defense, heavy machinery, retail, and global manufacturing environments.
The vulnerability, tracked as CVE-2026-12569, results from improper input validation and the deserialization of untrusted data. It allows a remote, unauthenticated threat actor to execute arbitrary code on the underlying application server. The flaw carries a CVSS score of approximately 9.3 and affects multiple supported versions of Windchill and FlexPLM. Exploitation complexity is low and requires no privileges, which supports automated exploitation at scale. Successful exploitation enables full control of the application environment, including access to sensitive engineering data and system processes. Worst-case scenarios include persistent compromise of Windchill and FlexPLM servers, theft or alteration of engineering data, disruption of product development workflows, and pivoting into operational technology environments that depend on accurate product lifecycle data.
The attack path relies on sending crafted requests to vulnerable endpoints without requiring credentials or user interaction. Following initial access, adversaries can deploy web shells, execute commands, and introduce additional tooling, turning Windchill and FlexPLM servers into persistent access points within design, manufacturing, and supply chain environments. Observed activity includes deployment of JavaServer Pages (JSP) web shells, supporting command execution and potential data exfiltration. The threat actor associated with this activity has not been publicly identified.
Analysis
In production environments, compromise can extend beyond the application itself. Windchill instances often integrate with enterprise resource planning systems, supplier platforms, and manufacturing operations, creating a path for lateral movement and operational disruption. The primary impact includes exposure of intellectual property, manipulation of engineering data, and interruption of production processes.
Organizations with internet-exposed instances or limited segmentation between PLM systems and the broader enterprise face increased risk of lateral movement and unauthorized access to engineering and supply chain data.
Applying the latest patches across affected Windchill and FlexPLM systems addresses the underlying vulnerability and removes the primary exploitation path. PTC’s eSupport article provides version-specific remediation steps. Prioritizing internet-facing systems and those supporting critical engineering or manufacturing workflows reduces exposure early in the response process.
Additional recommendations include reducing direct internet exposure, segmenting PLM systems from the rest of the network, and enabling logging and monitoring for unusual requests or web shell activity. Reviewing recent logs, validating for unauthorized code execution, and ensuring coverage by detection and response processes improve visibility into potential compromise. We cannot verify the availability of temporary workarounds beyond vendor-issued patches and configuration guidance.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
