Hackers are exploiting a critical vulnerability recently patched in PTC Windchill and FlexPLM, two product lifecycle management solutions used by organizations across a range of industries, including defense, aerospace, automotive, medical, electronics, industrial machinery, and consumer goods.
The vulnerability, tracked as CVE-2026-12569, is an unsafe deserialization flaw that enables remote code execution. It’s located in the web-based Windchill PDMLink product data management component and is rated 9.3 severity on the CVSS scale.
Product lifecycle management software is vital to organizations that manufacture products as it allows them to track a product from design to retirement, including storing CAD designs, bills of materials, workflows, engineering data, and more.
PTC alerted customers about the vulnerability and shared mitigation instructions on June 17. Over the next two days the company also released patches for Windchill versions 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020, and 11.0 M030, as well as indicators of compromise.
On Thursday, PTC updated its advisory to warn customers that it has received reports of heightened threat activity. The update included new indicators of compromise that suggest attackers are deploying web shells — backdoor web scripts — on compromised instances. On the same day the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Active exploitation of product lifecycle software is rare, but not surprising given its footprint in sectors that are attractive to threat actors, for both cyber espionage and data extortion. These systems also store highly sensitive intellectual property.
In fact, the damage to organizations could be so serious that back in March, German police reportedly took the unusual step to contact companies in the middle of the night in person to warn about a different zero-day vulnerability in Windchill that they had information attackers were planning to exploit.
The German Federal Office for Information Security (BSI) alerted companies about this new vulnerability as well, stressing it had reliable information about impending cyberattacks, the Heise media group reported.
PTC Windchill was first released 28 years ago and has more than 1.5 million users around the world, including companies such as BMW, Lockheed Martin, Boeing, and NVIDIA. PTC FlexPLM is a variant specifically designed for the retail, footwear, apparel, and consumer products industries.
No Responses