CVE-2026-12569: Unauthenticated RCE in PTC Windchill and FlexPLM

"A critical deserialization flaw in PTC Windchill PDMLink and FlexPLM lets an unauthenticated, remote attacker execute arbitrary code, and CISA has confirmed it is being actively exploited."

A critical deserialization flaw in PTC Windchill PDMLink and FlexPLM lets an unauthenticated, remote attacker execute arbitrary code, and CISA has confirmed it is being actively exploited.

What Is It

CVE-2026-12569 is a critical remote code execution vulnerability in PTC Windchill PDMLink and PTC FlexPLM. It stems from improper input validation (CWE-20) and deserialization of untrusted data (CWE-502). An unauthenticated, remote attacker can trigger it by sending a malicious request over the network, with no privileges or user interaction required. NVD assigns a CVSS 4.0 base score of 9.3 (CRITICAL), with the vulnerability rated as automatable and carrying total technical impact.

Why It Matters

CISA added CVE-2026-12569 to its Known Exploited Vulnerabilities catalog on 2026-06-25, and the CISA SSVC assessment lists exploitation status as "active." Because the flaw is network-reachable, requires no authentication, and is automatable, it is well-suited to mass exploitation. Successful attacks yield high impact to confidentiality, integrity, and availability; effectively full compromise of affected application servers. Known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

Affected products are PTC Windchill PDMLink and PTC FlexPLM. Per NVD, the issue impacts all releases up to and including 11.0 M030, and additionally applies to all CPS versions. Specific affected versions include:

Windchill PDMLink: up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, and 13.1.3.0.
FlexPLM: up to and including 11.0 M030, plus 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, and 13.0.3.0.

Patch Status

CISA requires organizations to apply mitigations per PTC's vendor instructions in compliance with BOD 26-04, and to follow CISA's Forensics Triage Requirements. For cloud services, follow applicable BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. Given active exploitation, organizations should remediate immediately; consult the CISA KEV catalog entry for the authoritative remediation due date. Refer to PTC support article CS473270 for vendor guidance.

Sources

PTC Support Article CS473270; https://www.ptc.com/en/support/article/CS473270
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569
NVD, CVE-2026-12569, https://nvd.nist.gov/vuln/detail/CVE-2026-12569
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk