CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

Ravie LakshmananJun 26, 2026Vulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. 

“The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data,” according to an advisory released by PTC.

Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that “we’ve received continued reports of heightened threat activity,” with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.

PTC has also released the following indicators of compromise (IoCs) associated with the activity –

• 172.111.38.31
• 216.152.148.54
• 104.243.35.131
• 74.50.76.146
• 5.180.41.35
• 216.152.148.54
• 5.180.41.35 (Attacker command-and-control address)
• Web shell files following the naming pattern /Windchill/login/[0-9a-f]{16}.jsp

As mitigations, users are advised to perform the following actions –

• Block 5.180.41.35 at the perimeter firewall immediately
• Search HTTP access logs for any POST requests to /Windchill/login/*.jsp
• Scan the filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}.jsp
• Hash-check any suspicious JSP files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
• Check for flst.txt in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity
• Add WAF / IDS rule blocking any request containing the header X-windchill-req:
• Restrict internet exposure of the Windchill login endpoint where operationally possible

The development makes it the first-ever PTC product vulnerability added to CISA’s KEV catalog, not to mention highlighting how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage.