• Category: Security
  • Status: confirmed
  • Sources: PTC advisory, NVD, CISA KEV
  • Summary: CVE-2026-12569 is an unauthenticated remote code execution flaw in PTC Windchill and FlexPLM, reachable from the network via deserialization of untrusted data and described as easily automatable. It affects Windchill and FlexPLM releases prior to 11.0 M030. CISA added it to the KEV catalog on 2026-06-25 (catalog 2026.06.25, count 1629), citing active exploitation. PTC is releasing patches for supported versions.
  • Why it matters: Windchill and FlexPLM are product-lifecycle-management systems in manufacturing and retail supply chains, so an unauthenticated, automatable RCE exposes high-value engineering and supply-chain data.
  • Follow-up: Track per-version patched builds, internet-exposure scans, and federal remediation deadline under BOD 26-04.

Send feedback on this story