Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
NEWS

CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

CISA has added CVE-2026-12569, a critical remote code execution vulnerability in PTC Windchill PDMlink and FlexPLM, to its Known Exploited Vulnerabilities...

Dylan H.

News Desk

June 26, 2026
4 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-12569 — a critical remote code execution vulnerability in PTC's enterprise Product Lifecycle Management (PLM) software — to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild. The flaw affects PTC Windchill PDMlink and PTC FlexPLM, software platforms embedded deeply in manufacturing, aerospace, defense, and retail supply chain operations worldwide.

A Critical Flaw With a Long Tail

The KEV addition on June 26 marks the second time CISA has formally flagged a critical RCE in the PTC Windchill ecosystem in 2026. The first, CVE-2026-4681 (CVSS 10.0 Critical), was disclosed in March 2026 after CISA and Germany's Federal Criminal Police Office (BKA) issued emergency warnings. At the time, PTC stated it had "credible evidence of an imminent threat" from a threat actor actively seeking to exploit the flaw — with German federal authorities reportedly dispatching agents to affected organizations to issue on-site warnings.

CVE-2026-12569, the latest addition, carries a CVSS score of 9.3 and stems from improper input validation allowing unauthenticated attackers to send malicious network requests that trigger arbitrary remote code execution via deserialization of untrusted data. As of June 25, PTC disclosed receiving "continued reports of heightened threat activity," confirming that active exploitation is ongoing.

Web Shell Deployment: A Confirmed Post-Exploitation Path

What distinguishes these Windchill attacks from typical remote exploitation campaigns is the documented use of web shells as a persistence mechanism after initial exploitation. PTC published specific indicators of compromise (IoCs) highlighting three key artifacts:

  • GW.class — a Java class file dropped post-exploitation
  • payload.bin — a secondary payload
  • dpr_<8-hex-digits>.jsp — dynamically named JSP web shells (e.g., dpr_a3f91b2c.jsp)

PTC confirmed that the presence of GW.class or a dpr_*.jsp file on a Windchill server indicates the attacker has completed weaponization — meaning the foothold is established and remote code execution has likely already occurred. Defenders should treat these artifacts as indicators of a full compromise, not an attempted one.

Additional behavioral IoCs include suspicious URL patterns such as run?p= or .jsp?c= combined with anomalous User-Agent strings, and gateway-related error messages referencing GW, GW_READY_OK, or unexpected gateway exceptions in application logs.

Affected Versions

ProductAffected Versions
PTC Windchill PDMlink11.0_M030 through 13.1.3.0 (and prior to 11.0_M030)
PTC FlexPLM11.0_M030 through 13.0.3.0 (and prior to 11.0_M030)

Both products are used across critical sectors including aerospace, defense, medical device manufacturing, automotive, and industrial supply chain management — making exploitation particularly high-risk from a national security and operational continuity perspective.

Why PLM Systems Are Attractive Targets

PLM platforms like Windchill are rarely discussed in vulnerability briefings, yet they represent extremely high-value targets. These systems store engineering designs, product specifications, bills of materials, manufacturing workflows, and supply chain data — often for products tied to defense contracts or critical infrastructure. Successful exploitation could give adversaries access to:

  • Proprietary design files and intellectual property
  • Manufacturing process parameters
  • Partner and supplier network data
  • Credentials for downstream systems integrated with the PLM platform

The combination of operational complexity, long patch cycles in industrial environments, and internet-facing deployments makes PLM software a growing focus for sophisticated threat actors.

Mitigation and Remediation Steps

Organizations running PTC Windchill or FlexPLM should act immediately:

For PTC-Hosted Customers: PTC states that remediation steps are being applied on behalf of hosted customers. Contact PTC directly if additional action is required.

For On-Premise Deployments:

  1. Apply patches as provided in PTC's advisory — check the PTC Trust Center for the latest patch details.
  2. Apply Apache/IIS workarounds to deny access to the vulnerable servlet path. PTC has published specific configuration steps for both Apache HTTP Server and Microsoft IIS deployments, including File Server and Replica Server configurations.
  3. Scan for IoCs — search for GW.class, payload.bin, and dpr_*.jsp files on all Windchill server instances.
  4. Review web server access logs for suspicious URL patterns (run?p=, .jsp?c=) and anomalous User-Agent strings.
  5. Isolate if unmitigated — if patching or workaround application is not immediately possible, temporarily disconnect affected instances from the internet or shut down the service.

Federal civilian agencies subject to CISA's Binding Operational Directive 22-01 are required to remediate KEV catalog entries by the specified deadline; organizations should consult the KEV catalog entry for the applicable due date.

References

  • CISA KEV Catalog — CVE-2026-12569
  • PTC Customer Advisory — June 2026
  • CISA ICS Advisory ICSA-26-085-03
  • BleepingComputer: PTC warns of imminent threat
  • Security Affairs: CISA and BSI warn of critical PTC flaw
#Vulnerability#CISA#KEV#ICS#Remote Code Execution

Related Articles

CISA: New Langflow Flaw Actively Exploited to Hijack AI

CISA has added CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in the Langflow AI framework, to its Known Exploited...

5 min read

CISA Orders Feds to Prioritize Patching Langflow Auth Bypass Flaw

CISA added CVE-2026-55255, a CVSS 9.9 IDOR authorization bypass in Langflow, to its Known Exploited Vulnerabilities catalog on July 7, ordering U.S. federal agencies to patch under the accelerated 3-day deadline of new Binding Operational Directive BOD 26-04.

6 min read

CISA Sets Urgent Deadline to Fix Cisco Flaw Actively Exploited in Attacks

CISA has added a Cisco Unified Communications Manager Server vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to...

4 min read
Back to all News