What happened
CVE-2026-12569 (CWE-20, CWE-502) affects PTC Windchill and FlexPLM product lifecycle management platforms. An unauthenticated, remote attacker can send a malicious network request exploiting improper input validation — including a deserialization path (CWE-502) — to achieve arbitrary code execution. CISA added the vulnerability to the KEV catalog on June 25, 2026, with a federal mandatory remediation deadline of June 28, 2026.
Why it matters
PTC Windchill is a widely-deployed PLM system increasingly integrated with AI-powered design tools, digital twins, and generative design platforms in manufacturing and defence sectors. Unauthenticated RCE via deserialization in a PLM platform can give attackers direct access to AI-assisted engineering workflows, proprietary design data, and manufacturing automation pipelines. The three-day federal patch window and confirmed active exploitation confirm acute urgency.
Attack vector
Unauthenticated attacker sends a malicious network request exploiting improper input validation and/or unsafe deserialization to achieve remote code execution on the PTC server
Affected systems
PTC Windchill and FlexPLM (all versions prior to vendor-patched release per CS473270)
Mitigation
Apply vendor mitigations per PTC support article CS473270: https://www.ptc.com/en/support/article/CS473270. CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog