UPDATE: PTC Windchill CVE-2026-12569 now confirmed exploited in the wild with JSP web shells

UPDATE (originally covered 2026-06-20): CISA added the PTC Windchill PDMLink / FlexPLM pre-auth deserialization RCE (CVE-2026-12569) to its Known Exploited Vulnerabilities catalog on 2026-06-25, confirming active in-the-wild exploitation — the operational shift from the disclosure we deep-dived on June 20 (The Hacker News, 2026-06-26).

Reported post-exploitation deploys JSP web shells to /Windchill/login/<16-hex>.jsp plus a flst.txt persistence marker — concrete hunt artefacts beyond the earlier abstract RCE description. ENISA's EUVD entry corroborates the unauthenticated deserialization root cause (ENISA EUVD EUVD-2026-37831). The driver for Swiss/EU manufacturing, pharma and aerospace operators running Windchill is the confirmed exploitation and the web-shell pattern, not the US-only federal remediation date; patch per PTC CS473270 and hunt web-server logs for .jsp creation under /Windchill/login/.