Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

[KEV] CVE-2026-12569 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-12569 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-12569 is an improper input validation vulnerability affecting PTC Windchill and FlexPLM, two widely deployed product lifecycle management platforms, that allows unauthenticated remote attackers to execute arbitrary code via malicious network requests.

Technical Detail

The flaw resides in the input validation logic of PTC Windchill and FlexPLM, where attacker-controlled data submitted over the network is not properly sanitized or rejected before processing. An unauthenticated remote attacker can craft and send a malicious request to the exposed service, triggering the vulnerability without requiring any prior authentication or user interaction. Successful exploitation results in remote code execution (RCE), granting the attacker the ability to run arbitrary commands in the context of the affected application, which in PLM environments typically means access to sensitive engineering, manufacturing, and product design data.

Exploitation Status

CISA has confirmed active exploitation in the wild, having added this CVE to the Known Exploited Vulnerabilities catalog on June 25, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliably achieving RCE exists and is being used in real-world attacks, not merely demonstrated in controlled research settings. Organizations running exposed instances of Windchill or FlexPLM should treat this as an active incident risk, not a future patching exercise.

Who Is Targeting This

No confirmed, ATTAX-verified threat actor attribution has been established at this time. Reported (research-inferred, medium confidence): BLACKOASIS, COPYKITTENS, GALLMAKER, EVILNUM, and LOTUSBLOSSOM have each been associated with this vulnerability through threat intelligence research. Motivations and national origins for these actors in the context of this specific CVE remain unconfirmed. These attributions should be treated as investigative leads rather than verified findings until further corroboration is available.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability promptly in accordance with CISA's specified remediation timeline from the June 25, 2026 listing date. All organizations should prioritize applying the vendor-supplied patch from PTC for both Windchill and FlexPLM immediately. If patching cannot be completed without delay, restrict network access to affected services at the perimeter, enforce allowlisting for systems permitted to communicate with Windchill and FlexPLM endpoints, and disable any externally facing interfaces that are not operationally required. Monitor application and network logs for anomalous unauthenticated requests to PLM service endpoints, unexpected process spawning from application server processes, and lateral movement originating from PLM host systems. Given the RCE nature of this vulnerability and confirmed active exploitation, assume that unpatched internet-accessible instances may already be compromised and conduct threat hunting accordingly.

All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →