The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a significant remote code execution (RCE) vulnerability affecting PTC’s Windchill PDMlink and FlexPLM software, now added to their Known Exploited Vulnerabilities (KEV) catalog. This inclusion follows confirmed reports of active exploitation by threat actors.
Details of the Vulnerability
The vulnerability, designated as CVE-2026-12569, holds a CVSS score of 9.3, underscoring its critical nature. It arises from improper input validation, enabling attackers to execute arbitrary code through malicious network requests. According to PTC, the flaw can be exploited via deserialization of untrusted data.
Despite the release of patches last week, PTC reported continued exploitation as of June 25, with attackers deploying JSP web shells on vulnerable systems. This ongoing activity highlights the urgency for users to apply mitigations promptly.
Indicators of Compromise and Mitigation Strategies
PTC has disclosed several indicators of compromise (IoCs) associated with the current threat, including specific IP addresses and file naming patterns used by the attackers. Users are urged to block the IP address 5.180.41.35 at their perimeter firewall and inspect HTTP access logs for suspicious POST requests.
Additional recommendations include scanning for JSP files matching the pattern /Windchill/login/[0-9a-f]{16}.jsp and verifying any suspicious files against a known hash. Users should also check for the presence of flst.txt in specific directories, indicating potential compromise, and implement WAF/IDS rules to block malicious requests.
Implications and Future Outlook
This marks the first instance of a PTC product vulnerability being added to CISA’s KEV catalog, emphasizing the rapid exploitation of newly disclosed vulnerabilities. Organizations using PTC software are advised to limit internet exposure of the Windchill login endpoint where possible to minimize risk.
As cyber threats continue to evolve, businesses must remain vigilant and proactive in their security measures. Monitoring for emerging threats and applying timely patches are essential steps in protecting against sophisticated cyberattacks.
