Critical Vulnerability in Windchill and FlexPLM
PTC has identified a critical vulnerability in Windchill and FlexPLM (CVE-2026-12569) that requires immediate action. This vulnerability could allow an unauthorized user to execute code remotely.
The following eSupport article includes the full list of affected Windchill and FlexPLM versions and the remediation steps customers should take immediately: https://www.ptc.com/en/support/article/CS473270
If you have any questions about the remediation steps, please log a technical support case.
If your instance of Windchill and/or FlexPLM is hosted by PTC, no action is required.
Updates on availability of patches will be provided below.
Patch Information
Version 13.1.2.8: PTC Software Download - under "Release 13.1 -> PTC Windchill Security Update Patches-> Show all other available Versions -> Version: 13-1-2-8"
Version 13.1.3.4: PTC Software Download - under "Release 13.1 -> PTC Windchill Security Update Patches-> Most Recent Version -> Version: 13-1-3-4"
Version 13.0.2: PTC Software Download - under "Release 13.0 -> PTC Windchill 13.0 Service Pack - Critical Patch Sets Bundles -> Version: 13-0-2-12 -> 13-0-XXXX-CPSXB3-TPATCH"
Change Log
6/18/2026 at 2:00 PM ET
Customers should review their environments for the following Indicators of Compromise (IOCs):
CVE-2026-12569 - IOCs
Monitor for the deployment of persistent JSP webshells into the Windchill login directory, enabling remote command execution and possible data exfiltration. See below for known Indicators of Compromise (IOCs), there could be others.
Network IOCs
Attacker Command & Control (C2) IP
IPv4 5.180.41.35 Block at perimeter
Known Webshell Paths
URL /Windchill/login/7c0a0a34c9d8d53b.jsp
URL /Windchill/login/46b158b8607a4c00.jsp
URL /Windchill/login/64652883d9de3299.jsp
URL /Windchill/login/56c9be44a436c4a2.jsp
URL /Windchill/login/4b57d0652345d383.jsp
URL /Windchill/login/ec6ba805a076e709.jsp
Hunt beyond the known list. The attacker names webshells using 16 lowercase hex characters. Search logs for any POST to /Windchill/login/[0-9a-f]{16}.jsp — new shells may be deployed at any time with different names.
Malicious Request Header
Header: X-windchill-req: ?x8Fmgow
First character = command selector. No legitimate use in Windchill.
File IOCs
Recommended Actions
1. Block 5.180.41.35 at the perimeter firewall immediately.
2. Search HTTP access logs for any POST to /Windchill/login/*.jsp — legitimate Windchill traffic does not POST to this path.
3. Scan the filesystem for .jsp files matching the 16-hex-char pattern under .../Windchill/codebase/login/.
4. Hash-check any suspicious .jsp files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c.
5. Check for flst.txt in /tmp or the Windchill working directory — its presence confirms attacker file-listing activity.
6. Add WAF / IDS rule blocking any request containing the header X-windchill-req:.
7. Alert on large POST responses (multi-MB) originating from .jsp files in the Windchill application tier.
8. Restrict internet exposure of the Windchill login endpoint where operationally possible.
Detection Rule Sketches
SIEM / Log query
// Flag any POST to the hex-named JSP pattern
method = "POST"
AND uri_path MATCHES "^/Windchill/login/[0-9a-f]{16}\.jsp$"
WAF / IDS — header rule
// Block the custom C2 command header
request.headers contains "X-windchill-req" → DROP + ALERT
File integrity / EDR
path <WT_HOME>/codebase/login/*.jsp
sha256: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
Pre-attack recon detection (specific to FlexPLM)
// WSDL probe that precedes webshell deployment
method = "GET"
AND uri_path MATCHES "^/Windchill/rfa/jsp/login/.*\.jsp\?wsdl$"
AND response_bytes = 4045
If you have any questions about the IOCs, please open a technical support ticket.