← All articles

PTC Windchill flaw exploited for remote code execution on manufacturing systems

Attackers are actively exploiting a critical flaw in PTC Windchill and FlexPLM, product lifecycle management software widely used across automotive, aerospace, defense, and manufacturing to store designs, engineering data, and intellectual property. The bug (CVE-2026-12569) is an unsafe deserialization issue that lets an unauthenticated attacker run code remotely by sending a crafted request. PTC patched it in mid-June, but has since reported heightened activity, with attackers deploying JSP web shells for command execution and data theft. CISA added it to its Known Exploited Vulnerabilities catalog, the first-ever PTC product to be listed, with a federal deadline of June 28. PTC has published indicators of compromise.

Check
Inventory PTC Windchill and FlexPLM instances and versions, restrict internet exposure of the login endpoint, and hunt for the JSP web shells and indicators of compromise PTC published.
Affected
Organizations running unpatched PTC Windchill or FlexPLM (CVE-2026-12569), especially internet-facing instances; manufacturers in automotive, aerospace, and defense risk remote code execution, intellectual-property theft, and supply-chain compromise.
Fix
Apply PTC's patches for your Windchill or FlexPLM version immediately, restrict the login endpoint to trusted networks, deploy the published IOCs, and check for web shells before assuming systems are clean.