A critical vulnerability in PTC Windchill PDMLink and FlexPLM, tracked as CVE-2026-12569, is being actively exploited, and confirmed attacks include JSP webshells planted directly on compromised servers. The flaw is an unauthenticated remote code execution bug caused by insecure deserialisation of untrusted data, which means an attacker doesn't need a username, a password, or any prior access to exploit it. They just need the server to be reachable.
Windchill is product lifecycle management software used heavily by manufacturing, engineering, and industrial organisations to manage design data, often including sensitive intellectual property. A webshell planted on a compromised Windchill server gives an attacker a persistent, remotely accessible foothold that survives a simple restart and can be used to pivot deeper into a network or exfiltrate design data at leisure.
This is a niche but serious exposure. Most individual readers have no direct relationship with Windchill. Organisations in manufacturing, aerospace, automotive, and industrial engineering that run PDMLink or FlexPLM should treat this as an active incident risk rather than a routine patch cycle item, given exploitation is already confirmed rather than theoretical.
Apply PTC's patch immediately if you haven't already. Because unauthenticated RCE with confirmed in-the-wild exploitation is about as serious as vulnerability severity gets, treat any internet-facing Windchill instance as potentially compromised until you've checked for webshells and unfamiliar files in web-accessible directories, not just patched and moved on. If you don't have the internal expertise to do that check confidently, this is a reasonable moment to bring in outside incident response help.
The vulnerabilities that actually matter, filtered from the noise, every Friday.