ctipilot.ch

Home · Live brief · Weekly 2026-W27

CVE-2026-12569 — PTC Windchill / FlexPLM: pre-auth deserialization RCE, now confirmed exploited with JSP web shells (CISA KEV)

notable vulnerability discovered 2026-06-29 00:20 UTC

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

When first covered (06-20) and in the W25 weekly this was a pre-auth deserialization flaw with BSI escalating to admins out-of-hours. The in-window delta: CISA added it to KEV on 06-25 and JSP web-shell deployment against the login interface is now confirmed in the wild. Any internet-reachable Windchill PDMLink or FlexPLM instance should be treated as assume-compromise — manufacturing and defence-supplier PLM is exactly the externally-reachable engineering surface a Swiss/EU industrial estate forgets to inventory.

“When first covered (06-20) and in the W25 weekly this was a pre-auth deserialization flaw with BSI escalating to admins out-of-hours.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce pre-auth cisa-kev global europe CVE-2026-12569