Critical Vulnerability in Windchill and FlexPLM
PTC has identified a critical vulnerability in Windchill and FlexPLM (CVE-2026-12569) that requires immediate action. This vulnerability could allow an unauthorized user to execute code remotely.
The following eSupport article includes the full list of affected Windchill and FlexPLM versions and the remediation steps customers should take immediately: https://www.ptc.com/en/support/article/CS473270
If you have any questions, please log a technical support case.
If your instance of Windchill and/or FlexPLM is hosted by PTC, remediation steps are being taken on your behalf. PTC will contact you directly if any additional action is required on your part.
Future Updates
This is an ongoing situation. Moving forward, updates and other relevant communications about this situation will be published within this article on PTC’s Trust Center. We encourage you to check this article daily for the latest updates.
For immediate updates on remediation steps, patch availability, and other technical details, we strongly recommend customers and partners to subscribe to PTC’s eSupport site and the relevant eSupport Article – CS473270.
Instructions for subscribing to the eSupport site and relevant eSupport articles are listed below.
eSupport site Instructions:
1. From any page on the eSupport site, navigate to account settings under your user icon and click Manage Notifications.
2. You will land on a page where you can subscribe to alerts by product line.
3. Open the alerts section and select Windchill.
eSupport article Instructions:
1. Navigate to the relevant eSupport article (eSupport Article – CS473270)
2. Hover over the ellipsis on the left side of the article and select Subscribe to this article.
Please note: you must be logged into your eSupport account for the ellipsis to be visible.
Change Log
6/23/2026 at 7:00 PM ET
New remediation steps now available and should be applied immediately. Available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270
Customers should review their environments for the following Indicators of Compromise (IOCs):
- IOC IP Address- 216.152.148.54
6/19/2026 at 10:30 PM ET
Patches for Windchill versions 11.0. M030 and 13.1.1 now available. Customers running these versions are urged to apply the corresponding patch immediately.
Patch downloads available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270
6/19/2026 at 1:05 PM ET
Patches for Windchill versions 11.2.1 and 111.1 M020 now available. Customers running these versions are urged to apply the corresponding patch immediately.
Patch downloads available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270
6/18/2026 at 5:30 PM ET
Patches for Windchill versions 12.1.2 and 12.0.2 now available. Customers running these versions are urged to apply the corresponding patch immediately.
Patch downloads available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270
6/18/2026 at 2:00 PM ET
Customers should review their environments for the following Indicators of Compromise (IOCs):
CVE-2026-12569 - IOCs
Monitor for the deployment of persistent JSP webshells into the Windchill login directory, enabling remote command execution and possible data exfiltration. See below for known Indicators of Compromise (IOCs), there could be others.
Network IOCs
Attacker Command & Control (C2) IP
IPv4 5.180.41.35 Block at perimeter
Known Webshell Paths
URL /Windchill/login/7c0a0a34c9d8d53b.jsp
URL /Windchill/login/46b158b8607a4c00.jsp
URL /Windchill/login/64652883d9de3299.jsp
URL /Windchill/login/56c9be44a436c4a2.jsp
URL /Windchill/login/4b57d0652345d383.jsp
URL /Windchill/login/ec6ba805a076e709.jsp
Hunt beyond the known list. The attacker names webshells using 16 lowercase hex characters. Search logs for any POST to /Windchill/login/[0-9a-f]{16}.jsp — new shells may be deployed at any time with different names.
Malicious Request Header
Header: X-windchill-req: ?x8Fmgow
First character = command selector. No legitimate use in Windchill.
File IOCs
Recommended Actions
1. Block 5.180.41.35 at the perimeter firewall immediately.
2. Search HTTP access logs for any POST to /Windchill/login/*.jsp — legitimate Windchill traffic does not POST to this path.
3. Scan the filesystem for .jsp files matching the 16-hex-char pattern under .../Windchill/codebase/login/.
4. Hash-check any suspicious .jsp files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c.
5. Check for flst.txt in /tmp or the Windchill working directory — its presence confirms attacker file-listing activity.
6. Add WAF / IDS rule blocking any request containing the header X-windchill-req:.
7. Alert on large POST responses (multi-MB) originating from .jsp files in the Windchill application tier.
8. Restrict internet exposure of the Windchill login endpoint where operationally possible.
Detection Rule Sketches
SIEM / Log query
// Flag any POST to the hex-named JSP pattern
method = "POST"
AND uri_path MATCHES "^/Windchill/login/[0-9a-f]{16}\.jsp$"
WAF / IDS — header rule
// Block the custom C2 command header
request.headers contains "X-windchill-req" → DROP + ALERT
File integrity / EDR
path <WT_HOME>/codebase/login/*.jsp
sha256: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
Pre-attack recon detection (specific to FlexPLM)
// WSDL probe that precedes webshell deployment
method = "GET"
AND uri_path MATCHES "^/Windchill/rfa/jsp/login/.*\.jsp\?wsdl$"
AND response_bytes = 4045
If you have any questions about the IOCs, please open a technical support ticket.
6/18/2026 at 10:25 AM ET
Patch for Windchill version 13.0.2 now available. Customers running this version are urged to apply the patch immediately.
Patch downloads available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270
6/17/2026 at 2:16 PM ET
Remediation steps now available and should be applied immediately. Available in eSupport article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS473270