First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild

Summary

Threat actors are actively exploiting CVE-2026-12569, a remote code execution vulnerability in PTC Windchill and FlexPLM. CISA has added this flaw to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch it by June 28. This marks the first time a PTC product vulnerability has been added to the KEV catalog, and the exploitation is particularly concerning given Windchill's widespread use in critical industrial and manufacturing sectors.

Full text

Threat actors have successfully exploited a vulnerability in PTC Windchill in the wild, marking the first confirmed real-world abuse of the popular product lifecycle management (PLM) platform. The vulnerability is tracked as CVE-2026-12569 and it affects PTC’s Windchill and FlexPLM products. The improper input validation flaw can be exploited by a remote, unauthenticated attacker to execute arbitrary code via specially crafted requests. The cybersecurity agency CISA added the security hole to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to address it by June 28. SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition This is the first-ever PTC product vulnerability added to CISA’s KEV catalog, and there do not appear to be any public reports describing the exploitation of other flaws. However, authorities have been expecting threat actors to start exploiting PTC products. In March, German police physically alerted companies about the risk posed by a different PTC Windchill vulnerability, CVE-2026-4681. While exploitation at the time seemed imminent, there are no reports of CVE-2026-4681 being used in attacks.Advertisement. Scroll to continue reading. For CVE-2026-12569, PTC began releasing patches and mitigations on June 17. The vendor published indicators of compromise (IoCs) the next day, warning that attackers have been exploiting it to deploy persistent JSP webshells that enable remote command execution and data exfiltration. It’s unclear who is behind the attacks, but PTC updated its advisory on Thursday to warn that it has been receiving reports of “heightened threat activity”. Heise reported just before exploitation was confirmed that German police had begun alerting organizations about the latest PTC vulnerability after learning of imminent attacks. Windchill is widely deployed across industrial and manufacturing organizations — including automotive, aerospace, defense, and heavy machinery companies — making the active exploitation of this vulnerability a significant threat to critical supply chains and operational technology environments. Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Related: Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning Related: Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Cisco SD-WAN Zero-Day Exploited Months Before PatchingMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwaremacOS Weaknesses Chained to Silently Disable Endpoint Security AgentsThird DraftKings Hacker Sentenced to 18 Months in PrisonHackers Exploiting Cisco Unified CM VulnerabilityDragos Unveils AI for OT Security Algerian Man Extradited to US for Running Cybercrime MarketplacesTrump Signs Executive Order Accelerating Post-Quantum Cryptography Migration Latest News $3 Million Reportedly Stolen in Polymarket HackRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsNew Enterprise-Ready MCP Specification Brings New Security ChallengesPhilip Martin Joins Uber as Chief Information Security OfficerRunlayer Raises $30 Million in Series A FundingCal Water Says No OT Systems Breached in Iranian Handala CyberattackLantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningGitLab Patches Code Execution, Information Disclosure Vulnerabilities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MovePhilip Martin has joined Uber as Chief Information Security Officer.Fable Security has appointed Jacob Berry as Chief Information Security Officer.iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-12569
• cve — CVE-2026-4681

Entities