Windchill RCE exploited in the wild (CVE-2026-12569)

Actively exploited in the wild - CVE-2026-12569 is a critical remote code execution vulnerability in PTC Windchill PDMlink and FlexPLM versions prior to 11.0 M030 that grants unauthenticated attackers full system compromise through deserialization of untrusted data. Patches are available in Windchill 11.0 M030 and later releases.

Overview

CVE-2026-12569 is a deserialization vulnerability in PTC Windchill PDMlink and FlexPLM that allows an unauthenticated attacker to execute arbitrary code on the target server. The vulnerability is reachable over the network with low complexity and requires no user interaction, earning it a critical CVSS score of 9.3. The flaw also impacts all CPS (Customized Product Solution) versions and all Windchill and FlexPLM releases before 11.0 M030.

The root cause is the unsafe deserialization of user-supplied data by the application, a classic attack vector commonly exploited in Java-based enterprise software. An attacker can send a crafted serialized object to the listening service, which the application then deserializes and executes, giving the attacker full control over the server.

Affected Products

• PTC Windchill PDMlink (all versions prior to 11.0 M030)
• PTC FlexPLM (all versions prior to 11.0 M030)
• All CPS versions built on the same codebase

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the privileges of the Windchill application service account. Depending on the deployment configuration, this can lead to full server compromise, including access to product lifecycle data, intellectual property, and potentially lateral movement to connected systems.

Remediation

PTC has released fixes for this vulnerability. Organizations running Windchill PDMlink or FlexPLM should:

1. Immediately upgrade to Windchill 11.0 M030 or the latest available release.
2. Apply CPS patches for any customized deployments.
3. Restrict network access to Windchill services using firewalls or network segmentation until patching is complete.
4. Review system logs for signs of exploitation, particularly unusual deserialization activity or unexpected process execution.

Given the CISA KEV listing and active exploitation in the wild, this upgrade should be treated as a high-priority emergency change.

Security Insight

This vulnerability underscores the persistent risk of deserialization flaws in large enterprise PLM systems, which are often difficult to patch due to complex customizations and long upgrade cycles. Unlike web-facing applications where rapid patching is standard, PDMlink and FlexPLM deployments frequently run in heavily customized, air-gapped networks, creating a dangerous lag in remediation. This incident mirrors the 2021 vulnerabilities in IBM WebSphere and Apache Log4j, where deserialization and similar remote code execution paths were exploited for years after patches were available. For ongoing coverage of such threats, see our security news section for the latest advisories and breach reports for real-world incident data.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs