ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30

high synthesis discovered 2026-06-22 00:14 UTC

Entities: NCSC-CH

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

If you did nothing this week: if you run an internet-reachable PTC Windchill or FlexPLM instance, assume compromise — a pre-auth deserialization flaw on the login interface is being exploited to drop backdoors, and the German BSI considered it urgent enough to phone operators in the middle of the night.

CVE-2026-12569 (CVSS 3.1 10.0; CVSS 4.0 9.3) is an unsafe deserialization of untrusted data reachable on the web-based Windchill/FlexPLM login interface before authentication — no credentials, no prior foothold, no user interaction (NCSC-CH Security Hub, 2026-06-19; daily 06-20 deep dive). PTC shipped fixes on 2026-06-15 and auto-patched cloud tenants; affected on-premises builds span the 11.x, 12.0.x, 12.1.x, 13.0.x and 13.1.0.0–13.1.3.0 lines as well as releases prior to 11.0 M030 (PTC PSIRT). Both BSI and NCSC-CH treat it as actively exploited, with Heise reporting backdoor deployment on vulnerable servers and the BSI escalating to direct after-hours phone calls — a step reserved for its highest-urgency advisories (Heise Security, 2026-06-19).

Windchill and FlexPLM are the product-lifecycle-management backbone across DACH manufacturing, aerospace, automotive and the defence-industrial base, holding engineering crown jewels (CAD, BOMs, supplier data) behind increasingly internet-reachable supplier portals — which is exactly why the BSI mobilised. Patch every on-premises instance, confirm cloud tenants were auto-patched, and until then pull the login interface off the internet behind a VPN or authenticating reverse proxy. Hunt for Java deserialization exception bursts on the login path and for the Windchill application-server process (JBoss/WildFly/WebLogic) spawning shells or scripting interpreters (T1190T1505.003).

“Attacks on the deserialization vulnerability are apparently already underway to place backdoors on vulnerable servers.” — Heise Security

“At 2:30 AM, a BSI employee called the company, reported a new zero-day vulnerability, and urged immediate patches.” — Heise Security

vulnerabilities actively-exploited pre-auth rce europe dach switzerland CVE-2026-12569