INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Exploited PTC Windchill RCE Flaw Added to KEV Catalog
| 2026-06-26 12:31 CRITICAL HIGHExecutive Summary AI-generated
The newly added remote code execution vulnerability in PTC Windchill PDMlink and PTC FlexPLM software has been identified as CVE-2026-12569, a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. Despite patches being released last week, unknown attackers continue to exploit the vulnerability to deploy JSP web shells against susceptible systems. The incident highlights how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage and underscores the need for immediate action from affected organizations to mitigate potential risks.
Technical Mitigations AI-generated
* Implement a Web Application Firewall (WAF) and Intrusion Detection System (IDS): Configure your organization's WAF to block any request containing the header X-windchill-req, which is used by attackers to exploit the PTC Windchill vulnerability. Additionally, install an IDS system that can detect and alert on suspicious activity.
* Implement a Content Security Policy (CSP) with strict filtering: Configure your organization's CSP to filter out malicious content from JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}. This will prevent attackers from exploiting the PTC Windchill vulnerability by injecting malicious code into legitimate web shells.
* Regularly scan for and remove suspicious JSP files: Use an automated tool to regularly scan your organization's filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}. Remove any such files that are found, as they may be used by attackers to escalate privileges.
* Implement a secure login endpoint configuration: Restrict internet exposure of the Windchill login endpoint where operationally possible. This will prevent attackers from exploiting the PTC Windchill vulnerability by using the login endpoint for malicious activities.
* Monitor HTTP access logs and system logs for suspicious activity: Regularly monitor your organization's HTTP access logs and system logs for any POST requests to /Windchill/login/*.jsp or other suspicious activity that may indicate an attacker is attempting to exploit the PTC Windchill vulnerability.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-12569CVE-2026-12569
CVE-2026-20230CVE-2026-20230
Target & Sectors
Global Scope
Incident Timeline
2026/06/19
Threat actors used PTC's KEV software to exploit a previously undisclosed Remote Code Execution (RCE) flaw in JSP web applications.
Click on any entity below to view its context and source!
organisation
PTC
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
organisation
JSP
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
June 25
PTC's KEV system is being targeted by unknown attackers exploiting a recently disclosed RCE flaw in PTC Windchill.
Click on any entity below to view its context and source!
organisation
PTC
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
organisation
JSP
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that "we've received continued reports of heightened threat activity," with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
Jun 26, 2026
Threat actors used PTC's KEV web shell to exploit CVE-2026-12569, a remote code execution vulnerability in the Windchill login endpoint.
Click on any entity below to view its context and source!
infrastructure
172.111.38
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
infrastructure
216.152.148
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
infrastructure
104.243.35
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
infrastructure
74.50.76
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
infrastructure
5.180.41
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
organisation
Attacker
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
2026/06/26
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical remote code execution vulnerability in Cisco Unified Communications Manager to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation by targeting the affected software with server-side request forgery attacks via specially crafted HTTP requests.
Click on any entity below to view its context and source!
organisation
Cisco Unified Communications
Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
CVE-2026-12569 is a critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM.
organisation
PTC Windchill PDMlink
Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
CVE-2026-12569 is a critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM.
organisation
CVSS
The two flaws added to the catalog are:
CVE-2026-12569
(CVSS score of 9.3) PTC Windchill and FlexPLM Improper Input Validation Vulnerability
CVE-2026-20230
(CVSS score of 8.6)
organisation
PTC Windchill
The two flaws added to the catalog are:
CVE-2026-12569
(CVSS score of 9.3) PTC Windchill and FlexPLM Improper Input Validation Vulnerability
CVE-2026-20230
(CVSS score of 8.6)
organisation
Improper Input Validation Vulnerability
The two flaws added to the catalog are:
CVE-2026-12569
(CVSS score of 9.3) PTC Windchill and FlexPLM Improper Input Validation Vulnerability
CVE-2026-20230
(CVSS score of 8.6)
organisation
CVE-2026-20230
CVE-2026-20230
is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM SME that allows an unauthenticated remote attacker to perform server-side request forgery (SSRF) by sending specially crafted HTTP requests to an affected device.
infrastructure
11.0
The flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030.
organisation
CPS
The flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030.
organisation
Windchill
The flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030.
organisation
WebDialer
A key condition is that the WebDialer service must be enabled for exploitation, and it is disabled by default.
June 28, 2026
Threat actors exploited a Remote Code Execution (RCE) flaw in PTC Windchill, which was patched by CISA as part of its KEV update.
Tactical Metrics
Metrics
infrastructure
172.111.38
Software Version
Click for context!
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
Metrics
infrastructure
216.152.148
Software Version
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
Metrics
infrastructure
104.243.35
Software Version
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
Metrics
infrastructure
74.50.76
Software Version
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
Metrics
infrastructure
5.180.41
Software Version
PTC has also
released
the following indicators of compromise (IoCs) associated with the activity -
172.111.38.31
216.152.148.54
104.243.35.131
74.50.76.146
5.180.41.35
216.152.148.54
5.180.41.35 (Attacker command-and-control address)
Web shell files following the naming pattern /Windchill
Metrics
infrastructure
11.0
Software Version
The flaw impacts all CPS versions and Windchill and FlexPLM releases prior to 11.0 M030.
Intelligence Sources
The Hacker News
2026-06-26
Security Affairs
2026-06-26
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:23
Comprehensive Tactical Telemetry
Highly Correlated Entities
14x
attribution
Attributing Entity
Vulnerability /
authority
12x
organisation
Identified Entity
PTC
entity
7x
timeline
Temporal Reference
Jun 26, 2026
date
6x
infrastructure
Software Version
172.111.38
version
4x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
vulnerability
Exploited CVE
CVE-2026-12569
cve
2x
vulnerability
CVSS Score
9
score
Contextual Telemetry
Context Block
5 METRICS
tactic
Cyber Operation Type
Remote Code Execution
tactic
general metric
Jun
26
jun
general metric
Score
9
score
general metric
Hex Char
16
hex char
general metric
M030
11
m030
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.