ctipilot.ch

Home · Live brief · Daily brief 2026-06-27

PTC Windchill CVE-2026-12569 now confirmed exploited in the wild with JSP web shells

high vulnerability discovered 2026-06-27 05:17 UTC

Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)

UPDATE — originally covered PTC Windchill CVE-2026-12569: unauthenticated Java deserialization to RCE on the PLM management plane (2026-06-20)

UPDATE (originally covered 2026-06-20): CISA added the PTC Windchill PDMLink / FlexPLM pre-auth deserialization RCE (CVE-2026-12569) to its Known Exploited Vulnerabilities catalog on 2026-06-25, confirming active in-the-wild exploitation — the operational shift from the disclosure we deep-dived on June 20 (The Hacker News, 2026-06-26).

Reported post-exploitation deploys JSP web shells to /Windchill/login/<16-hex>.jsp plus a flst.txt persistence marker — concrete hunt artefacts beyond the earlier abstract RCE description. ENISA's EUVD entry corroborates the unauthenticated deserialization root cause (ENISA EUVD EUVD-2026-37831). The driver for Swiss/EU manufacturing, pharma and aerospace operators running Windchill is the confirmed exploitation and the web-shell pattern, not the US-only federal remediation date; patch per PTC CS473270 and hunt web-server logs for .jsp creation under /Windchill/login/.

“UPDATE (originally covered 2026-06-20): CISA added the PTC Windchill PDMLink / FlexPLM pre-auth deserialization RCE (CVE-2026-12569) to its Known Exploited Vulnerabilities catalog on 2026-06-25, confirming active in-the-wild exploitation — the operational shift from the disclosure we deep-dived on …” — ctipilot v2 brief (migrated)

Action items

  • Patch PTC Windchill PDMLink/FlexPLM (CVE-2026-12569) now — exploitation is CISA-confirmed and JSP web shells are being deployed; hunt web-server logs for .jsp files created under /Windchill/login/ and a flst.txt marker (§ 4).

Update chain

vulnerabilities actively-exploited rce pre-auth cisa-kev global europe CVE-2026-12569