Hackers Exploit Critical PTC Windchill PLM Software Flaw
CSO Online reported on June 26 that hackers are exploiting CVE-2026-12569, a recently patched unsafe deserialization flaw enabling remote code execution in PTC Windchill and FlexPLM.
At a glance
- CVE-2026-12569, an unsafe deserialization flaw allowing RCE in PTC Windchill and FlexPLM, is being actively exploited per CSO Online.
- The flaw is located in the Windchill PDMLink component and rated CVSS 9.3.
- Affected PLM software is used in defense, aerospace, automotive, medical and other industries.
VERDICT — CONFIRMED
Hackers are actively exploiting CVE-2026-12569, a recently patched unsafe deserialization flaw that enables remote code execution in PTC Windchill and FlexPLM, CSO Online reported on June 26.
The vulnerability sits in the web-based Windchill PDMLink product data management component and is rated 9.3 on the CVSS scale, per CSO Online. Affected versions listed in the report include Windchill 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020 and 11.0 M030.
PTC alerted customers and shared mitigation instructions on June 17, then released patches for the listed versions on June 19 and 20, per the report. On June 25, the US Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog. Customers have reported "heightened threat activity," per CSO Online, with attackers deploying web shells — backdoor web scripts — on compromised instances.
The affected product lifecycle management software is used across defense, aerospace, automotive, medical, electronics, industrial machinery and consumer goods organizations, per the report, which noted manufacturers including BMW, Lockheed Martin, Boeing and NVIDIA among the user base — placing sensitive intellectual property at potential risk.
Background
PTC, headquartered in Boston, is a longstanding vendor of industrial software. Product lifecycle management platforms such as Windchill act as the system of record for product design data — CAD models, bills of materials, engineering change orders — which makes them concentrated repositories of a manufacturer's most valuable intellectual property and durable targets for industrial espionage. FlexPLM is the company's PLM offering for retail, footwear and apparel businesses.
Unsafe deserialization is a well-documented vulnerability class in which an application reconstructs data objects from untrusted input, allowing crafted payloads to trigger code execution on the server. CISA's Known Exploited Vulnerabilities catalog lists only flaws with confirmed in-the-wild exploitation, and under Binding Operational Directive 22-01 US federal civilian agencies are required to remediate catalogued vulnerabilities by set deadlines — making a KEV listing a de facto escalation for private-sector defenders as well.
What comes next
Organizations running affected Windchill or FlexPLM versions face the standard sequence a KEV listing implies: apply PTC's patches or mitigations, then hunt for web shells and other signs of prior compromise, since patching alone does not evict attackers already inside. Watch for further indicators of compromise and any attribution of the exploitation activity in follow-on reporting.
Key facts on file
- CVE-2026-12569, an unsafe deserialization flaw allowing RCE in PTC Windchill and FlexPLM, is being actively exploited per CSO Online.
- The flaw is located in the Windchill PDMLink component and rated CVSS 9.3.
- Affected PLM software is used in defense, aerospace, automotive, medical and other industries.