CVE-2026-12569

Summary

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions

  • The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Affected Software

VendorProductVersion RangeStatus
PTCWindchill PDMLink0 <= 11.0 M030affected
PTCWindchill PDMLink11.1 M020affected
PTCWindchill PDMLink11.2.1.0affected
PTCWindchill PDMLink12.0.2.0affected
PTCWindchill PDMLink12.1.2.0affected
PTCWindchill PDMLink13.0.2.0affected
PTCWindchill PDMLink13.1.0.0affected
PTCWindchill PDMLink13.1.1.0affected
PTCWindchill PDMLink13.1.2.0affected
PTCWindchill PDMLink13.1.3.0affected
PTCFlexPLM0 <= 11.0 M030affected
PTCFlexPLM11.1 M020affected
PTCFlexPLM11.2.1.0affected
PTCFlexPLM12.0.0.0affected
PTCFlexPLM12.0.2.0affected
PTCFlexPLM12.1.2.0affected
PTCFlexPLM12.1.3.0affected
PTCFlexPLM13.0.2.0affected
PTCFlexPLM13.0.3.0affected

Weaknesses

  • CWE-20: CWE-20 Improper input validation
  • CWE-502: CWE-502 Deserialization of untrusted data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References