Actively exploited in the wild
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
PTC — Windchill and FlexPLM · Listed in the CISA KEV since 2026-06-25. This indicates confirmed attacks in production environments.
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CVE-2026-12569
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Elevated risk62th percentile — higher than 62% of all known CVEs
Summary
A critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM. The flaw can be exploited via deserialization of untrusted data, allowing an attacker to execute arbitrary code remotely.
Risk Assessment
The risk for the organization includes potential full compromise of the vulnerable system, data theft, or disruption of business operations.
Recommendation
Immediately upgrade to version 11.0 M030 or later, and apply CPS patches for all affected versions.
Original NVD description (English source)
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

