Overview
A critical remote code execution (RCE) vulnerability has been discovered in PTC's Windchill PDMLink and FlexPLM product lifecycle management (PLM) platforms. Tracked as CVE-2026-12569, the flaw carries a CVSS v4.0 score of 9.3 (Critical) and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog on June 25, 2026, signaling confirmed active exploitation in the wild.
The vulnerability stems from deserialization of untrusted data (CWE-502) combined with improper input validation (CWE-20), allowing a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted malicious network request.
Affected Products
| Product | Affected Versions |
|---|---|
| PTC Windchill PDMLink | Up to version 13.1.3.0 |
| PTC FlexPLM | Up to version 13.0.3.0 |
| All CPS versions | All releases prior to 11.0 M030 |
Technical Details
The vulnerability resides in the network-accessible deserialization layer of both Windchill and FlexPLM. Exploiting the flaw requires:
- No authentication — the attack vector is network-accessible without credentials
- No user interaction — fully remote exploitation with no victim action needed
- No special privileges — low complexity, any network-adjacent attacker can trigger it
Successful exploitation results in full compromise of confidentiality, integrity, and availability of the target system. Given that Windchill and FlexPLM are widely deployed in manufacturing, aerospace, and defense sectors, the potential blast radius is significant.
CISA KEV Addition
CISA added CVE-2026-12569 to the KEV catalog on June 25, 2026 under Binding Operational Directive (BOD) 26-04. Federal civilian executive branch (FCEB) agencies are required to apply mitigations per vendor guidance by the specified deadline. The KEV listing confirms exploitation activity is occurring in the wild.
Mitigation
PTC has released patches addressing this vulnerability. Organizations should:
- Apply patches immediately per PTC support article CS473270
- Restrict network access to Windchill and FlexPLM interfaces where possible (firewall rules, network segmentation)
- Monitor for anomalous activity on PLM systems, particularly unexpected outbound connections or unusual process spawning
- If patching is not immediately feasible, discontinue use of the affected product per CISA guidance
References
- NVD — CVE-2026-12569
- CISA KEV Catalog
- PTC Support Article CS473270 (vendor patch guidance)