Cyber Resilience

CVE-2026-12569

CriticalCISA KEVActive ExploitationEUVD ExploitedRCEUpdated

Published: 18 June 2026

Published
18 June 2026
Modified
30 June 2026
KEV Added
25 June 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red
EPSS Score 0.0111 61.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-12569 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Ptc Windchill Pdmlink. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified…

more

vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

CWE(s)
KEV Date Added
25 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Critical RCE via deserialization of untrusted data (CWE-502) in a server product directly enables remote exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

ptc
flexplm
11.1m020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.3.0 · ≤ 11.0m030
ptc
windchill pdmlink
11.0m030, 11.1m020, 11.2.1.0, 12.0.2.0, 12.1.2.0 · ≤ 11.0m030

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-502

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20 CWE-502

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References