JSP webshells being dropped on unpatched PTC Windchill instances

Zeljka Zorz, Editor-in-Chief, Help Net Security June 29, 2026 Share JSP webshells being dropped on unpatched PTC Windchill instances The US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability (CVE-2026-12569) in Windchill and FlexPLM, two product lifecycle management software platforms developed by PTC, to its Known Exploited Vulnerabilities (KEV) catalog. Entries in the KEV catalog don’t contain links to reports of exploitation, but PTC’s advisory keeps getting updated with indicators of compromise and advice for defenders, confirming that attackers are dropping JSP webshells on vulnerable systems. CISA ordered US federal civilian government agencies to address CVE-2026-12569 by June 28, but all organizations using one of these two PLM platform should patch (if they haven’t already) and check for the presence of indicators of compromise. PTC Windchill under attack via CVE-2026-12569 Windchill is PTC’s product lifecycle management platform for manufacturing and engineering-intensive industries, while FlexPLM is a PLM platform for retail, footwear, apparel, and consumer goods industries, CVE-2026-12569 is an improper input validation vulnerability that allows unauthenticated, remote attackers to execute arbitrary code just by sending a malicious request to the network. PTC warned about the flaw on June 17 and proposed remediation steps, then followed up with the release of a patch on June 18, when it confirmed in-the-wild exploitation. Patches for additional versions of the software were released soon after. News outlet Heise Online reported that, around June 17, Germany’s Federal Office for Information Security (BSI) started notifying German companies of “impending cyberattacks on vulnerable Windchill instances”, and urged them to verify they had applied the patch. Interestingly enough, a similar warning by the Federal Criminal Police Office (BKA) on behalf of the BSI was given to German companies in late March 2026, when a code injection vulnerability (CVE-2026-4681) in those same two platforms was publicly disclosed. CVE-2026-4681 also allowed remote code execution and the indicators of compromise provided in the related advisory suggest it was also exploited in the wild, even though the advisory still states that “there is no evidence of confirmed exploitation affecting PTC customers.” Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about BSI CISA Germany manufacturing sector vulnerability Share