CVE-2026-12569 — PTC Windchill / FlexPLM: pre-auth deserialization RCE, now confirmed exploited with JSP web shells (CISA KEV)

When first covered (06-20) and in the W25 weekly this was a pre-auth deserialization flaw with BSI escalating to admins out-of-hours. The in-window delta: CISA added it to KEV on 06-25 and JSP web-shell deployment against the login interface is now confirmed in the wild. Any internet-reachable Windchill PDMLink or FlexPLM instance should be treated as assume-compromise — manufacturing and defence-supplier PLM is exactly the externally-reachable engineering surface a Swiss/EU industrial estate forgets to inventory.