The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) recently added a critical remote code execution (RCE) vulnerability, **CVE-2026-12569**, to its Known Exploited Vulnerabilities (**KEV**) catalog. This move underscores evidence of active exploitation targeting **PTC Windchill PDMlink** and **PTC FlexPLM** enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software. The vulnerability, assigned a CVSS score of 9.3, is an improper input validation issue. It allows an attacker to execute arbitrary code by sending a malicious request to the network, primarily through the deserialization of untrusted data, as detailed in an advisory from **PTC**. Despite patches being released last week, **PTC** confirmed on June 25th that it continues to receive reports of heightened threat activity. Attackers are leveraging **CVE-2026-12569** to deploy JSP web shells on vulnerable systems. **PTC** has also released several Indicators of Compromise (IoCs) associated with this activity: * 172.111.38.31 * 216.152.148.54 * 104.243.35.131 * 74.50.76.146 * 5.180.41.35 * 216.152.148.54 * 5.180.41.35 (Attacker command-and-control address) * Web shell files following the naming pattern `/Windchill/login/[0-9a-f]{16}.jsp` ### Recommended Mitigations Users are strongly advised to implement the following immediate mitigations: * Block **5.180.41.35** at the perimeter firewall. * Search HTTP access logs for any POST requests to `/Windchill/login/*.jsp`. * Scan the filesystem for JSP files matching the 16-hex-char pattern `/Windchill/login/[0-9a-f]{16}.jsp`. * Hash-check any suspicious JSP files against `55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c`. * Check for `flst.txt` in `/tmp` or the Windchill working directory, as its presence confirms attacker file-listing activity. * Add a Web Application Firewall (**WAF**) / Intrusion Detection System (**IDS**) rule blocking any request containing the header `X-windchill-req:`. * Restrict internet exposure of the Windchill login endpoint where operationally possible. This marks the first time a **PTC** product vulnerability has been included in **CISA**'s **KEV** catalog, highlighting the increasing speed at which threat actors weaponize newly disclosed vulnerabilities.