VULNERABILITY OVERVIEW
CVE-2026-12569 (CWE-20 / CWE-502) is a maximum-severity unauthenticated RCE in PTC's PLM platforms used across aerospace, automotive, defense, and fashion sectors. The vulnerability is reachable without authentication at a servlet endpoint and is exploitable by supplying maliciously crafted serialized data. The German BSI issued emergency after-hours alerts to affected organizations warning of impending cyberattacks on internet-exposed Windchill instances; a patch was released June 15, 2026. CISA added it to KEV on June 25, 2026, with active exploitation confirmed.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Windchill PDMLink 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.x, 13.1.x and all releases prior to 11.0 M030; FlexPLM (all CPS versions)CITATIONS
- → PTC Trust Center Advisory – June 2026: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-rce-vulnerability
- → CISA KEV – June 25 2026: https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
- → Heise Online – BSI calls admins at night: https://www.heise.de/en/news/PTC-Windchill-BSI-calls-admins-at-night-due-to-critical-security-vulnerability-11338329.html
- → BSI / B2B-Cyber-Security.de: https://b2b-cyber-security.de/en/BSI-warns-of-critical-vulnerability-10.0-rce-in-PTC-Windchill-and-FlexPLM/
- → NVD CVE-2026-12569: https://nvd.nist.gov/vuln/detail/CVE-2026-12569