CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation Vulnerability

Vulnerability Name

PTC Windchill and FlexPLM Improper Input Validation Vulnerability

Description

PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Additional Notes

https://www.ptc.com/en/support/article/CS473270

BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk

https://nvd.nist.gov/vuln/detail/CVE-2026-12569