PTC Windchill RCE Under Active Attack—CISA Deadline Today

CISA added CVE-2026-12569 to its Known Exploited Vulnerabilities catalog on June 25, marking the first time a PTC product has made the list. The federal remediation deadline is today, June 28—and attackers are already deploying web shells against vulnerable systems.

What's Happening

The vulnerability is a critical remote code execution flaw (CVSS 9.3) in PTC Windchill PDMlink and FlexPLM. It stems from deserialization of untrusted data, allowing attackers to execute arbitrary code by sending malicious network requests.

PTC confirmed on June 25 that they've "received continued reports of heightened threat activity," with unknown attackers deploying JSP web shells to maintain persistent access. The web shells follow a predictable naming pattern:

/Windchill/login/[0-9a-f]{16}.jsp

Once a web shell is planted, attackers have persistent remote access—even if the original vulnerability is later patched.

Why This Matters

Windchill is the product lifecycle management (PLM) platform of choice for sensitive manufacturing sectors. Its customer base includes automotive, aerospace, defense, and heavy machinery manufacturers—exactly the industries nation-state actors target for intellectual property theft.

The ability for unauthenticated attackers to gain persistent access via web shells creates serious risk of long-term compromise and data exfiltration. PLM systems contain detailed product designs, engineering specifications, and supply chain data that competitors and foreign intelligence services prize.

This follows a pattern we've tracked across other supply chain compromises, where attackers target business-critical systems that organizations can't easily take offline.

Indicators of Compromise

Security teams should hunt for evidence of exploitation:

Network indicators:

• Block attacker C2 address: 5.180.41.35
• Search HTTP logs for POST requests to /Windchill/login/*.jsp
• Monitor for requests containing X-windchill-req: header

File indicators:

• Scan for JSP files matching the pattern above
• Look for flst.txt in /tmp or Windchill working directories
• File hash: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c

Affected Versions

PTC's security advisory lists multiple affected versions of Windchill and FlexPLM. Organizations running any internet-facing Windchill deployment should treat this as an emergency.

Immediate Actions

1. Apply PTC's security update released June 18—this is now mandatory for federal agencies and urgent for everyone else

2. Hunt for existing compromise using the IOCs above before patching. If attackers already have a web shell, patching alone won't remove their access

3. Implement network controls:

   • Deploy WAF/IDS rules blocking requests with the suspicious header
   • Restrict internet-facing access to Windchill login endpoints where feasible

4. Conduct forensic review of any system showing indicators of compromise. Web shell deployment usually precedes data exfiltration

The Bigger Picture

This is the first PTC vulnerability to hit the CISA KEV catalog, which underscores how quickly attackers weaponize flaws in less-scrutinized enterprise software. Organizations often patch Microsoft and Cisco vulnerabilities promptly while letting niche vendor patches languish.

Attackers know this. They're actively hunting for the next CISA KEV addition in enterprise software that flies under the radar.

If you run Windchill, assume you're a target and act accordingly.