The U.S. CISA has added a critical remote code execution (RCE) vulnerability, CVE-2026-12569, affecting PTC Windchill PDMlink and FlexPLM software, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This marks the first time a PTC product vulnerability has been included in the KEV catalog, underscoring the rapid weaponization of newly disclosed flaws by threat actors.
The flaw, with a CVSS score of 9.3, is an improper input validation issue exploitable through deserialization of untrusted data, allowing attackers to execute arbitrary code. Despite the release of patches, PTC has confirmed continued heightened threat activity, with unknown attackers deploying JSP web shells against vulnerable systems.
PTC has provided crucial indicators of compromise (IoCs), including specific IP addresses (e.g., 5.180.41.35 as a C2), web shell file patterns like /Windchill/login/[0-9a-f]{16}.jsp, and the presence of flst.txt. Users are strongly advised to implement immediate mitigations such as blocking the C2 IP at the firewall, searching for web shells in logs and filesystems, checking for specific file presence, and restricting internet exposure of the Windchill login endpoint, alongside implementing WAF/IDS rules.
Top comments (0)