CISA has added CVE‑2026‑12569 to its Known Exploited Vulnerabilities catalogue. The flaw affects PTC’s Windchill and FlexPLM products and is described as an improper input validation vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request over the network.
The vulnerability is an improper input validation issue in the affected applications. Successful exploitation leads to remote code execution with the privileges of the service account. The attack vector is network‑based, requires no authentication and no user interaction. NVD assigns a CVSS v3.1 base score of 9.3, rating the issue as CRITICAL. At the time of publishing, PTC has not released a patch and the patch status is listed as unknown.
Because the entry appears in the KEV catalogue, active exploitation of CVE‑2026‑12569 has been confirmed in the wild. No public reports link this vulnerability to ransomware campaigns at present. CISA has set a remediation deadline of 28 June 2026 for federal civilian executive branch (FCEB) agencies to apply the required mitigations.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.
While the directive binds FCEB agencies, all organisations should review their exposure to Windchill and FlexPLM and implement the mitigations as soon as possible.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-12569 and the CISA KEV catalogue.