threat-wire

Critical PTC Windchill Flaw Exploited to Plant Web Shells

Attackers are exploiting a CVSS 9.3 flaw in PTC Windchill, the product design software used across aerospace, automotive and medical manufacturing, to run code and drop web shells on exposed servers. CISA added it to its must-patch list with a 28 June federal deadline. It is the first PTC bug ever to make that catalogue.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-27 · 5 min read

A flaw in PTC Windchill is under active attack, and the score alone tells you why it matters. CVE-2026-12569 carries a CVSS rating of 9.3 out of 10. It lets an unauthenticated attacker run code on the server by sending a single malicious request.

By the numbers

• 9.3 out of 10 on the CVSS severity scale.
• 7 product versions received fixes from PTC, with the first released on 17 June.
• 28 June: the deadline CISA set for US federal agencies to patch.
• First time a PTC product has ever appeared in CISA's Known Exploited Vulnerabilities catalogue.

What the bug actually is

The weakness is an unsafe deserialization flaw in the web-based Windchill PDMLink data management component. Deserialization is the step where software rebuilds saved data back into live objects in memory. When that step trusts attacker-supplied data, it can be tricked into running commands instead of just loading information. Here the payoff is remote code execution with no login required.

PTC has confirmed reports of heightened activity against its customers. Attackers who get a foothold are dropping web shells: small backdoor scripts that hand them a command channel on the server, which keeps working even after the original hole is patched.

Check whether you are exposed

• Confirm your exact Windchill or FlexPLM build. PTC patched Windchill 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020 and 11.0 M030. If your version sits below one of these, treat yourself as exposed.
• Search your web server logs for any POST request to a path like /Windchill/login/ followed by a 16-character hex filename ending in .jsp. The known web shells use names built that way.
• Inspect the Windchill web directories for recently created or modified .jsp files nobody on your team placed there.
• If you find a shell, assume the server is compromised. Patching does not remove a backdoor that is already running, so rebuild or fully investigate before trusting it again.
• Pull any internet-facing Windchill instance off the public network until it is patched and checked.

Why manufacturers are the target

Windchill runs product lifecycle management for firms in defence, aerospace, automotive, medical devices, electronics and industrial machinery. The files inside are blueprints, engineering designs and supplier data, exactly the intellectual property a competitor or a state buyer would pay for. A breach at one supplier can also open a path into the larger manufacturers it works with, which is how a single exposed server turns into a supply chain problem.

• PTC advisory: Windchill and FlexPLM RCE
• CSO Online: hackers exploit critical Windchill flaw
• SecurityWeek: first in-the-wild Windchill exploitation
• SecurityAffairs: CISA adds Windchill and FlexPLM to KEV