
CVE-2026-12569: PTC Windchill — Unauthenticated RCE, Webshells Deployed (June 2026)
CVE-2026-12569 — PTC Windchill
CVE-2026-12569 is a critical vulnerability in PTC Windchill and FlexPLM that allows unauthenticated remote code execution (RCE). Attackers are actively exploiting this flaw to deploy JSP webshells on unpatched systems. PTC confirmed in-the-wild exploitation immediately after releasing patches on June 18, 2026. The vulnerability stems from improper input validation, and there is no evidence of exploitation requiring authentication.
Attack Vector
Attackers exploit CVE-2026-12569 by sending crafted requests to vulnerable Windchill or FlexPLM instances, bypassing input validation controls. Successful exploitation enables arbitrary code execution and direct deployment of JSP webshells to the application server. These webshells provide persistent, interactive access for attackers, allowing further lateral movement or data exfiltration. German authorities have issued warnings about ongoing campaigns targeting domestic organizations. IOCs include detection of unexpected JSP files in web application directories and anomalous outbound connections initiated by the application server.
Who Is at Risk
All organizations running unpatched PTC Windchill or FlexPLM deployments are at risk, regardless of region or industry. PTC Windchill customers are specifically targeted, with confirmed exploitation in North America and active warnings issued in Germany. Both on-premises and internet-exposed instances are vulnerable if not updated to the latest patched version.
Patch & Mitigate
- Patch: Apply the official PTC security update released June 18, 2026, for Windchill and FlexPLM. Patch all instances immediately.
- Workaround: No official workaround is available. Restrict external access to management interfaces as a temporary measure.
- Detect: Monitor for creation of unauthorized JSP files in application directories, unexpected process launches by the application server, and unusual outbound traffic. Review web server logs for suspicious requests and failed authentication attempts.
MITRE ATT&CK
- TA0001 — Initial Access: Attackers exploit the vulnerability to gain a foothold via unauthenticated requests.
- TA0002 — Execution: Webshells enable arbitrary command execution on compromised servers.
Source: https://www.helpnetsecurity.com/2026/06/29/ptc-windchill-cve-2026-12569-exploited/
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

