Bottom line: Web shells are being installed in the widely used Windchill PLM software to persistently execute commands and exfiltrate enterprise data.
The US agency CISA has registered the vulnerability CVE-2026-12569 in PTC Windchill and FlexPLM as actively exploited. Attackers use it to compromise entire systems without authentication.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-12569 to its catalog of actively exploited security vulnerabilities – the first listing of a PTC product ever. The vulnerability affects the PLM platforms Windchill and FlexPLM, which are used for Product Lifecycle Management. A remote attacker can send specially manipulated requests without authentication through faulty input validation and execute arbitrary code on target systems.
PTC began distributing security updates on June 17, 2026. On June 18, the company published indicators of compromise. Attackers install persistent JavaServer Pages web shells on affected servers to remotely execute commands and exfiltrate enterprise data. PTC confirmed “elevated threat activity,” though the identity of the attackers remains unknown. US federal agencies have been instructed to remediate the vulnerability by June 28, 2026.
Windchill is widespread in industrial manufacturing – in the automotive industry, aerospace, defense industry, and heavy machinery. Active exploitation of this unauthenticated code execution vulnerability thus threatens operational technology environments and critical supply chains. Already in March 2026, German police authorities had warned of an earlier Windchill vulnerability.
Source: www.it-daily.net · Published June 26, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.