Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is
Analysis Summary
# Vulnerability: Critical Deserialization RCE in PTC Windchill and FlexPLM
## CVE Details
- **CVE ID:** CVE-2026-12569
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data) / Improper Input Validation
## Affected Systems
- **Products:** PTC Windchill PDMlink; PTC FlexPLM
- **Versions:** Multiple enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) versions (refer to vendor advisory for specific build numbers).
- **Configurations:** Systems with internet-facing login endpoints.
## Vulnerability Description
CVE-2026-12569 is a remote code execution (RCE) flaw arising from improper input validation during the deserialization of data. An unauthenticated attacker can execute arbitrary code on the target server by sending a specifically crafted malicious request to the network. Once exploited, this allows for the deployment of persistent backdoors such as web shells.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV on June 25, 2026).
- **Complexity:** Low
- **Attack Vector:** Network
- **Observed Behavior:** Attackers are deploying JSP web shells to the `/Windchill/login/` directory to maintain persistence.
## Impact
- **Confidentiality:** High (Full access to PDM/PLM data)
- **Integrity:** High (Ability to modify software lifecycle data and system files)
- **Availability:** High (Potential for system takeover or ransomware deployment)
## Remediation
### Patches
- PTC released patches for the affected products in mid-June 2026. Users should immediately update to the latest available vendor-provided versions.
### Workarounds
- **Network Filtering:** Restrict internet exposure of the Windchill login endpoint.
- **WAF/IDS:** Implement rules to block any HTTP requests containing the header `X-windchill-req:`.
- **IP Blocking:** Immediately block the known C2 IP address: `5.180.41.35`.
## Detection
### Indicators of Compromise (IoCs)
- **Attacker IPs:**
- `172.111.38[.]31`
- `216.152.148[.]54`
- `104.243.35[.]131`
- `74.50.76[.]146`
- `5.180.41[.]35` (Command-and-Control)
- **File Artifacts:**
- Presence of `flst.txt` in the `/tmp` or Windchill working directory (indicates file-listing activity).
- JSP files in `/Windchill/login/` matching the 16-character hex pattern: `[0-9a-f]{16}.jsp`.
- **Web Shell Hash (SHA-256):** `55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c`
### Detection Methods
- **Log Analysis:** Search HTTP access logs for unexpected `POST` requests to `/Windchill/login/*.jsp`.
- **Filesystem Audit:** Scan for the 16-character hex JSP pattern mentioned above.
## References
- **CISA KEV Catalog:** hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory:** hxxps://www.ptc[.]com/en/support/advisories (Defanged)
- **Full Report:** hxxps://thehackernews[.]com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html