Mastodon Mastodon Mastodon Mastodon

CISA Confirms Active RCE Exploits Targeting PTC Windchill and FlexPLM

Photo of author

CyberSecureFox Editorial Team

Published:

On June 25, 2026, CISA added vulnerability CVE-2026-12569 (CVSS 9.3) to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The vulnerability affects enterprise product data management platforms — PTC Windchill PDMlink and PTC FlexPLM, which are widely used in the manufacturing sector as well as the aerospace and defense industries. Threat actors are already deploying JSP web shells on vulnerable systems. Organizations using these products must immediately apply patches and check for signs of compromise.

Technical nature of the vulnerability

According to the PTC advisory, CVE-2026-12569 is a remote code execution (RCE) vulnerability caused by improper input validation. The root cause is the deserialization of untrusted data: an attacker can send a specially crafted network request that results in arbitrary code execution on the server.

According to the CVE entry, the vulnerability has been assigned a CVSS score of 9.3, corresponding to a critical severity level. Exploitation does not require authentication and is performed over the network, making any internet-exposed Windchill installation a potential target.

PTC released patches prior to June 25; however, the company has confirmed it continues to receive reports of “increased threat activity.” Unknown threat actors are exploiting the vulnerability to deploy JSP web shells — server-side backdoors that provide persistent access to the compromised system.

Observed campaign and indicators of compromise

PTC has published a detailed set of indicators of compromise (IOCs) associated with the current campaign. Web shells are placed under the path /Windchill/login/ and have names consisting of 16 hexadecimal characters with a .jsp extension (pattern: /Windchill/login/[0-9a-f]{16}.jsp).

Attacker infrastructure IP addresses:

  • 172.111.38.31
  • 216.152.148.54
  • 104.243.35.131
  • 74.50.76.146
  • 5.180.41.35 — identified by PTC as a command-and-control (C2) server address

Additional artifacts:

  • SHA-256 hash of the web shell: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
  • The file flst.txt in the /tmp directory or the Windchill working directory — an indicator of the attacker’s reconnaissance activity (file system listing)
  • Non-standard HTTP header X-windchill-req: used in malicious requests

The nature of the attack — deserialization followed by web shell deployment and connection to C2 — points to a methodical approach aimed at maintaining a foothold in the victim’s infrastructure. Use of the listing file (flst.txt) indicates that after initial access, the attackers perform reconnaissance of the server’s contents, likely to identify valuable data or prepare for further lateral movement within the network.

Impact assessment

PTC Windchill is one of the leading PLM platforms used by major manufacturing enterprises to manage the product lifecycle, including engineering documentation, bills of materials (BOM), and supply chain data. FlexPLM is used in the fashion and retail industries for product development management.

Compromise of a PLM system can potentially expose:

  • Intellectual property — drawings, 3D models, and manufacturing processes
  • Supply chain data and information about suppliers
  • The organization’s internal network through lateral movement from the compromised server

The speed with which threat actors began exploiting CVE-2026-12569 — within days of the patch being released — underscores how critical it is to update promptly. The window between disclosure of a vulnerability and the start of widespread exploitation continues to shrink.

Response recommendations

PTC and CISA recommend the following immediate actions:

Priority 1: Blocking and patching

  • Immediately block the C2 server IP address 5.180.41.35 on the perimeter firewall
  • Block the other published IP addresses of the attacker infrastructure
  • Apply the patch from PTC in accordance with the official advisory
  • Restrict internet access to the Windchill login endpoint wherever operationally feasible

Priority 2: Detecting compromise

  • Review HTTP logs for POST requests to /Windchill/login/*.jsp
  • Search the file system for JSP files matching the pattern /Windchill/login/[0-9a-f]{16}.jsp
  • Compare hashes of any discovered JSP files with the published SHA-256: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
  • Check for the presence of the flst.txt file in /tmp and the Windchill working directory — its presence confirms attacker activity

Priority 3: Preventive protection

  • Add a WAF/IDS rule to block requests containing the X-windchill-req: header
  • Set up monitoring of network connections to the published IP addresses

Organizations that discover signs of compromise should treat the incident as a full-scale intrusion: isolate affected servers, perform forensic analysis, and assess the extent of attacker access to PLM system data. Given the confirmed active exploitation and inclusion in the CISA KEV catalog, patching and checking IOCs should be completed within the next 24–48 hours — every hour of delay increases the likelihood of compromise for unpatched systems.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.