[KEV] CVE-2026-12569 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-12569 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-12569 is an improper input validation vulnerability affecting PTC Windchill and FlexPLM, two widely deployed product lifecycle management platforms, that allows unauthenticated remote attackers to execute arbitrary code via malicious network requests.
Technical Detail
The flaw resides in the input validation logic of PTC Windchill and FlexPLM, where attacker-controlled data submitted over the network is not properly sanitized or rejected before processing. An unauthenticated remote attacker can craft and send a malicious request to the exposed service, triggering the vulnerability without requiring any prior authentication or user interaction. Successful exploitation results in remote code execution (RCE), granting the attacker the ability to run arbitrary commands in the context of the affected application, which in PLM environments typically means access to sensitive engineering, manufacturing, and product design data.
Exploitation Status
CISA has confirmed active exploitation in the wild, having added this CVE to the Known Exploited Vulnerabilities catalog on June 25, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliably achieving RCE exists and is being used in real-world attacks, not merely demonstrated in controlled research settings. Organizations running exposed instances of Windchill or FlexPLM should treat this as an active incident risk, not a future patching exercise.
Who Is Targeting This
No confirmed, ATTAX-verified threat actor attribution has been established at this time. Reported (research-inferred, medium confidence): BLACKOASIS, COPYKITTENS, GALLMAKER, EVILNUM, and LOTUSBLOSSOM have each been associated with this vulnerability through threat intelligence research. Motivations and national origins for these actors in the context of this specific CVE remain unconfirmed. These attributions should be treated as investigative leads rather than verified findings until further corroboration is available.
What To Do
Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability promptly in accordance with CISA's specified remediation timeline from the June 25, 2026 listing date. All organizations should prioritize applying the vendor-supplied patch from PTC for both Windchill and FlexPLM immediately. If patching cannot be completed without delay, restrict network access to affected services at the perimeter, enforce allowlisting for systems permitted to communicate with Windchill and FlexPLM endpoints, and disable any externally facing interfaces that are not operationally required. Monitor application and network logs for anomalous unauthenticated requests to PLM service endpoints, unexpected process spawning from application server processes, and lateral movement originating from PLM host systems. Given the RCE nature of this vulnerability and confirmed active exploitation, assume that unpatched internet-accessible instances may already be compromised and conduct threat hunting accordingly.