CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 25, 2026. Action due June 28, 2026. BOD 26-04 3-day patch mandate applies.

CVE: CVE-2026-12569 | CVSS: 9.1 | Vendor: PTC | Product: Windchill, FlexPLM, Creo Parametric Server (CPS)

What Is the Vulnerability

CVE-2026-12569 is a deserialization of untrusted data vulnerability (CWE-502) in PTC Windchill, FlexPLM, and Creo Parametric Server (CPS) that allows remote code execution. PTC Windchill is an industrial product lifecycle management (PLM) platform used extensively across manufacturing, aerospace, automotive, and defense sectors to manage product data throughout its entire lifecycle — from design through manufacturing, service, and retirement. FlexPLM extends that capability into retail, footwear, and apparel, while Creo Parametric Server provides the server-side backbone for PTC’s CAD collaboration workflows.

The vulnerability arises from unsafe deserialization of user-supplied data. An unauthenticated attacker can send a specially crafted serialized object to the affected endpoint, triggering arbitrary code execution in the context of the PLM application server. Because these systems sit at the heart of engineering and manufacturing operations — housing intellectual property, design files, and supply chain data — a successful compromise could expose years of R&D investment and disrupt production lines.

NVD published the advisory on June 18, 2026. PTC released patches shortly afterward. On June 25, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog with a remediation due date of June 28, 2026 — giving organizations just three days to apply the fix under Binding Operational Directive (BOD) 26-04.

Versions Affected

• PTC Windchill — all versions prior to the patched release (see PTC advisory CS473270 for exact version ranges)
• PTC FlexPLM — all versions prior to the patched release
• Creo Parametric Server (CPS) — all versions

Exploited?

Yes. CISA has confirmed active exploitation in the wild, which triggered the addition to the KEV catalog on June 25, 2026. Given the sensitivity of the sectors that rely on Windchill — defense contractors, aerospace manufacturers, automotive suppliers — exploitation activity is being closely monitored by CISA and sector ISACs. Organizations in these industries should assume they are being actively targeted.

Fix

PTC has published advisory CS473270 with patch details for all affected products. Apply the vendor-supplied patches immediately. PTC customers with active maintenance agreements can download the patches through the PTC Support portal. For environments where immediate patching is not feasible, PTC recommends implementing network-level access controls to restrict access to the affected services as an interim mitigation — though CISA’s BOD 26-04 mandates patching, not mitigation.

Recommendations

• Patch by June 28, 2026: This is the CISA-mandated deadline under BOD 26-04. Federal agencies must comply; all other organizations should treat this with equal urgency.
• Manufacturing, aerospace, and defense organizations must prioritize: If you run Windchill or FlexPLM, escalate this to your incident response leadership immediately.
• Audit PLM access: Review who and what can reach your PLM systems. Remove any internet-facing access that is not strictly required.
• Network-segment PLM systems: Isolate Windchill, FlexPLM, and CPS deployments from general corporate networks. These systems should never be reachable from the internet without VPN + MFA.
• Check for indicators of compromise: Review application logs and process execution history on PLM servers for signs of post-exploitation activity, including unexpected child processes spawned by the Windchill/CPS service account.

References

• PTC Advisory CS473270 — Security Vulnerability in Windchill, FlexPLM, and CPS
• CISA Known Exploited Vulnerabilities Catalog
• NVD — CVE-2026-12569
• CISA BOD 26-04 — 3-Day Patch Mandate

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 26, 2026 Vulnerability Intelligence Report for broader context. CISA KEV addition on June 25, 2026 — action due June 28, 2026.