9.3
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:L/AU:Y/U:Red/R:U/V:C
Description
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is **CVE-2026-12569** (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network.
"The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data," according to an advisory released by PTC.
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
PTC has also released the following indicators of compromise (IoCs) associated with the activity -
* 172.111.38.31
* 216.152.148.54
* 104.243.35.131
* 74.50.76.146
* 5.180.41.35
* 216.152.148.54
* 5.180.41.35 (Attacker command-and-control address)
* Web shell files following the naming pattern /Windchill/login/[0-9a-f]{16}.jsp
As mitigations, users are advised to perform the following actions -
* Block **5.180.41.35** at the perimeter firewall immediately
* Search HTTP access logs for any POST requests to **/Windchill/login/*.jsp**
* Scan the filesystem for JSP files matching the 16-hex-char pattern **/Windchill/login/[0-9a-f]{16}.jsp**
* Hash-check any suspicious JSP files against **55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c**
* Check for **flst.txt** in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity
* Add WAF / IDS rule blocking any request containing the header **X-windchill-req:**
* Restrict internet exposure of the Windchill login endpoint where operationally possible
The development makes it the first-ever PTC product vulnerability added to CISA's KEV catalog, not to mention highlighting how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is **CVE-2026-12569** (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network.
"The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data," according to an advisory released by PTC.
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
PTC has also released the following indicators of compromise (IoCs) associated with the activity -
* 172.111.38.31
* 216.152.148.54
* 104.243.35.131
* 74.50.76.146
* 5.180.41.35
* 216.152.148.54
* 5.180.41.35 (Attacker command-and-control address)
* Web shell files following the naming pattern /Windchill/login/[0-9a-f]{16}.jsp
As mitigations, users are advised to perform the following actions -
* Block **5.180.41.35** at the perimeter firewall immediately
* Search HTTP access logs for any POST requests to **/Windchill/login/*.jsp**
* Scan the filesystem for JSP files matching the 16-hex-char pattern **/Windchill/login/[0-9a-f]{16}.jsp**
* Hash-check any suspicious JSP files against **55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c**
* Check for **flst.txt** in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity
* Add WAF / IDS rule blocking any request containing the header **X-windchill-req:**
* Restrict internet exposure of the Windchill login endpoint where operationally possible
The development makes it the first-ever PTC product vulnerability added to CISA's KEV catalog, not to mention highlighting how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Basic Information
ID
THN:051D862466EBE7A5DE6BB7DD92EA2EA6
Published
Jun 26, 2026 at 12:31