CVE-2026-12569

CRITICAL CISA KEV EPSS 61.7%

Published Jun 18, 20261w ago · Modified Jun 22, 20266d ago

9.3 CVSS 4.0

Critical

Find Similar

Published Jun 18, 2026 1w ago

Last Modified Jun 22, 2026 6d ago

KEV Listed Jun 25, 2026 4d ago

KEV Due Jun 28, 2026 1d overdue

Description

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

CVSS Details

Base Score

9.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

CISA Known Exploited Overdue 1d

Added: Jun 25, 2026
Due: Jun 28, 2026

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

EPSS Exploit Probability

61.7% percentile

Exploit & Patch Status

Actively Exploited (KEV)

No Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation

CWE-502 Deserialization of Untrusted Data Validation

References 1

ptc.com https://www.ptc.com/en/support/article/CS473270

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.