CVE Catalog

Actively exploited in the wild

PTC Windchill and FlexPLM Improper Input Validation Vulnerability

PTC — Windchill and FlexPLM · Listed in the CISA KEV since 2026-06-25. This indicates confirmed attacks in production environments.

Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CVE-2026-12569

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.11%

62th percentile — higher than 62% of all known CVEs

Summary

A critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM. The flaw can be exploited via deserialization of untrusted data, allowing an attacker to execute arbitrary code remotely.

Risk Assessment

The risk for the organization includes potential full compromise of the vulnerable system, data theft, or disruption of business operations.

Recommendation

Immediately upgrade to version 11.0 M030 or later, and apply CPS patches for all affected versions.

Original NVD description (English source)

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Vulnerability data from NVD (NIST) · CISA KEV · EPSS