The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network.Â
“The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data,” according to an advisory released by PTC.
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that “we’ve received continued reports of heightened threat activity,” with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems.
PTC has also released the following indicators of compromise (IoCs) associated with the activity –
- 172.111.38.31
- 216.152.148.54
- 104.243.35.131
- 74.50.76.146
- 5.180.41.35
- 216.152.148.54
- 5.180.41.35 (Attacker command-and-control address)
- Web shell files following the naming pattern /Windchill/login/[0-9a-f]{16}.jsp
As mitigations, users are advised to perform the following actions –
- Block 5.180.41.35 at the perimeter firewall immediately
- Search HTTP access logs for any POST requests to /Windchill/login/*.jsp
- Scan the filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}.jsp
- Hash-check any suspicious JSP files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
- Check for flst.txt in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity
- Add WAF / IDS rule blocking any request containing the header X-windchill-req:
- Restrict internet exposure of the Windchill login endpoint where operationally possible
The development makes it the first-ever PTC product vulnerability added to CISA’s KEV catalog, not to mention highlighting how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
