Ravie LakshmananJun 26, 2026Vulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network.

"The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data," according to an advisory released by PTC.

Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.