HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12569Published Modified CNA PTC

CVE-2026-12569: Remote Code Execution (RCE) vulnerability in Windchill PDMlink

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An insecure deserialization vulnerability in PTC Windchill PDMLink (and FlexPLM) allows a remote, unauthenticated attacker to execute arbitrary code on the host running the affected service. The vulnerability is reachable over the network with no credentials and no victim interaction required, making it trivially weaponizable at scale. Successful exploitation gives an attacker full control over the server, including the ability to read, modify, or destroy data and disrupt service availability. No upstream fix has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment PTC releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-12569 is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication using ingestion from NVD, PTC's own advisory feed, and other upstream sources, covering both vendor-supplied and custom-built images derived from Windchill or FlexPLM base layers. Any image in a connected registry or CI pipeline that carries an affected version of Windchill PDMLink or FlexPLM is flagged automatically.

Available
Triage

Triage is available with a CVSS v4.0 score of 9.3 (CRITICAL), surfaced alongside per-environment compliance policy weighting so teams working under stricter SLAs see this issue promoted to the top of their queue. Alerts are routed to the inbox or ticketing integration configured for each customer org, ensuring the right engineering or security team is notified without manual triage.

Available
Patch

Because no fix version has been published by PTC, no patched-image rebuild is currently available. HarborGuard re-checks the PTC advisory and upstream package feeds on every ingest cycle; the moment a fix is released, a rebuilt image at the patched version becomes available, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service is exposed over the network; an attacker must be able to reach it via HTTP or a similar application protocol to deliver a malicious serialized payload.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable deserialization endpoint is reachable without logging in.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link, open a file, or take any action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is low - the exploit requires no race conditions, special memory layout, or other environmental prerequisites and can be executed reliably against any reachable affected instance.

Blast Radius

  • Attacker executes arbitrary operating system commands as the process owner of the Windchill or FlexPLM application server, achieving full host-level code execution.
  • Attacker reads product lifecycle data, engineering files, and any credentials or secrets stored on or accessible from the compromised host.
  • Attacker modifies or deletes PLM records, bills of materials, and configuration data persisted in the application database.
  • Attacker crashes or holds the application service hostage, causing a complete denial of service for engineering and manufacturing workflows dependent on Windchill PDMLink or FlexPLM.

How HarborGuard Handles This

Available on HarborGuard: because PTC has not yet published a fix for CVE-2026-12569, the primary capability is continuous monitoring. Every ingest cycle, HarborGuard re-checks the PTC advisory and relevant upstream feeds; a patched-image rebuild will become available automatically the moment a fix version is released, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. In the meantime, compensating controls are worth applying at the infrastructure layer: network-policy rules that restrict inbound access to Windchill and FlexPLM endpoints to known internal IP ranges, egress filtering to limit lateral movement if the service is compromised, and disabling any externally facing deserialization endpoints or legacy RMI listeners where application function permits. For environments subject to strict compliance policies, HarborGuard can route this CRITICAL-severity finding to a dedicated inbox and apply a shortened SLA so it receives immediate manual review.

See how HarborGuard automates this
Affected packages
  • PTC / Windchill PDMLink
    ≤ 11.0 M030 · 11.1 M020 · 11.2.1.0 · 12.0.2.0 · 12.1.2.0 · 13.0.2.0
  • PTC / FlexPLM
    ≤ 11.0 M030 · 11.1 M020 · 11.2.1.0 · 12.0.0.0 · 12.0.2.0 · 12.1.2.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red
References