Attackers Are Planting Webshells in PTC Windchill. It's the First PTC Bug CISA Has Ever Flagged as Exploited.

PTC Windchill is the system that aerospace, automotive, and defense manufacturers use to store and version their engineering data. Right now it is being broken into. On Thursday, CISA added CVE-2026-12569 to its Known Exploited Vulnerabilities catalog and gave federal civilian agencies until June 28 to patch. That is the first time any PTC product has appeared on that list.

The bug is an unauthenticated remote code execution flaw, CVSS 9.3. PTC's advisory describes it as an RCE "that may be exploited through deserialization of untrusted data." Here is what that means. Windchill takes data out of a network request and turns it back into a live software object without first checking what that object is. Feed it the right payload and that reconstruction step runs attacker code on the server. No password, no session. The attacker only needs to reach the Windchill login endpoint over the network.

Once in, they are leaving JSP webshells behind. A webshell is a small script dropped on the server that the attacker can come back to later to run commands and pull data out. PTC's published indicators of compromise spell out exactly what to look for: webshell files written under /Windchill/login/ with sixteen-character hexadecimal names, a command-and-control address at 5.180.41.35, and a file named flst.txt that appears once the attacker has listed the filesystem. PTC says the activity amounts to remote command execution and data exfiltration, which is the normal reason to plant a webshell.

The fix exists, and has for over a week

This is not a zero-day that caught the vendor flat-footed. The timeline:

• June 17: PTC starts shipping patches and mitigations.
• June 18: PTC publishes its indicators of compromise and warns that attackers are already using the flaw to deploy JSP webshells.
• June 25: PTC updates the advisory to note "continued reports of heightened threat activity." The same day, CISA adds CVE-2026-12569 to the KEV catalog with a June 28 remediation deadline.

PTC's advisory lists fixed builds across the supported branches: 13.1.1, 13.0.2, 12.1.2, 12.0.2, 11.2.1, 11.1 M020, and 11.0 M030. Anything older than its branch fix is in scope. If you run Windchill or FlexPLM, the patch is the answer, and it has been available since the 17th.

If you cannot patch this minute, PTC's mitigations buy time: block 5.180.41.35 at the perimeter, grep your HTTP access logs for POST requests to /Windchill/login/*.jsp, scan the filesystem for JSP files matching that sixteen-hex-character pattern, add a WAF or IDS rule that drops any request carrying the X-windchill-req header, and take the login endpoint off the public internet if your deployment allows it.

How worried to actually be

The CVSS number is high and the exploitation is real, but the blast radius depends on one thing: whether your Windchill login page is reachable from the open internet. Windchill usually lives inside a corporate network, behind a VPN. The instances getting hit are the ones exposed directly. So this is urgent for organizations that put the endpoint online and a good prompt for everyone else to confirm theirs is not.

The category matters more than the install count. Windchill holds the design and lifecycle data for cars, aircraft, and military hardware. A webshell there gives an attacker a working foothold inside a manufacturer's engineering systems, with the data exfiltration to match. That is why CISA treats a PLM bug with the same urgency it would give a flaw in a firewall.

There was a warning shot. In March, a different Windchill flaw, CVE-2026-4681, had German police physically visiting companies to tell them to lock it down. That one was never actually exploited. This one is, and Heise reported that German authorities had again started alerting organizations just before the exploitation was confirmed. The second time the police knocked, the attackers were already inside.