CISA added a critical remote code execution vulnerability in PTC Windchill to its Known Exploited Vulnerabilities catalog on Thursday, citing evidence of active exploitation. The flaw, CVE-2026-12569 with a CVSS score of 9.3, allows attackers to execute arbitrary code by sending a malicious request.
What makes this particularly urgent: PTC confirmed on June 25 that despite releasing patches last week, attackers are still exploiting the vulnerability to deploy JSP web shells against vulnerable systems. The company published a set of indicators of compromise to help defenders spot the activity.
The IoCs include five attacker IP addresses (172.111.38.31, 216.152.148.54, 104.243.35.131, 74.50.76.146, and 5.180.41.35) and a specific web shell naming pattern: /Windchill/login/[0-9a-f]{16}.jsp. PTC also flagged a specific file hash (55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c) and the presence of flst.txt in /tmp as confirmation of attacker file-listing activity.
This is the first-ever PTC product vulnerability on CISA’s KEV catalog. For anyone running Windchill PDMlink or FlexPLM, the recommended immediate steps are: block 5.180.41.35 at the perimeter, search HTTP access logs for POST requests to Windchill login paths with JSP files, scan the filesystem for matching web shell filenames, and restrict internet exposure of the Windchill login endpoint where operationally possible.
