Customer Updates: Remote Code Execution Vulnerability in PTC’s Windchill and FlexPLM Solutions

Patches for versions 11.0. M030 and 13.1.1 are now available. Customers running these versions are urged to apply the corresponding patch immediately.

Version 11.0 M030: PTC Software Download - under "Release 11.0 -> PTC Windchill 11.0 Service Pack - Critical Patch Sets Bundles -> Version: M030".

• 11-0-XXXX-CPSXB6-Applies-to-F000-CPS16
• 11-0-XXXX-CPSXB7-Applies-to-CPS17-CPS24

Version 13.1.1: PTC Software Download - under "Release 13.1 -> PTC Windchill 13.1 Service Pack - Critical Patch Sets Bundles -> Version: 13-1-1-5".

• 13-1-XXXX-CPSXB3-Applies-to-F000-CPS05

Patches for versions 11.2.1 and 111.1 M020 are now available. Customers running these versions are urged to apply the corresponding patch immediately.

Version 11.2.1: PTC Software Download - under "Release 11.2 -> PTC Windchill 11.2 Service Pack - Critical Patch Sets Bundles -> Version: 11-2-1-24".

• 11-2-XXXX-CPSXB6-Applies-to-F000-CPS04
• 11-2-XXXX-CPSXB7-Applies-to-CPS05-CPS24

NOTE: Only 1 patch is required to be installed on the Windchill system; select the patch that applies to the CPS release currently installed.

Version 11.1 M020: PTC Software Download - under "Release 11.1 -> PTC Windchill 11.1 Service Pack - Critical Patch Sets Bundles -> Version: M020".

• 11-1-XXXX-CPSXB4-Applies-to-F000-CPS08
• 11-1-M020-CPS09-CPSXB2-Applies-to-CPS09
• 11-1-XXXX-CPSXB5-Applies-to-CPS10-CPS14
• 11-1-XXXX-CPSXB6-Applies-to-CPS15-CPS36

NOTE: Only 1 patch is required to be installed on the Windchill system; select the patch that applies to the CPS release currently installed.

Patches for versions 12.1.2 and 12.0.2 have become available. Customers running these versions are urged to apply the corresponding patch immediately.

Version 12.1.2: PTC Software Download - under "Release 12.1 -> PTC Windchill 12.1 Service Pack - Critical Patch Sets Bundles -> Version: 12-1-2-22"

• 12-1-XXXX-CPSXB8-Applies-to-F000-CPS04
• 12-1-XXXX-CPSXB9-Applies-to-CPS05-CPS08
• 12-1-XXXX-CPSXB10-Applies-to-CPS09-CPS22

NOTE: Only 1 patch is required to be installed on the Windchill system; select the patch that applies to the CPS release currently installed.

Version 12.0.2: PTC Software Download - under "Release 12.0 -> PTC Windchill 12.0 Service Pack - Critical Patch Sets Bundles -> Version: 12-0-2-27"

• 12-0-XXXX-CPSXB5-Applies-to-F000-CPS05
• 12-0-XXXX-CPSXB6-Applies-to-CPS06-CPS14
• 12-0-XXXX-CPSXB7-Applies-to-CPS015-CPS17
• 12-0-XXXX-CPSXB8-Applies-to-CPS018-CPS27

NOTE: Only 1 patch is required to be installed on the Windchill system; select the patch that applies to the CPS release currently installed.

Customers should review their environments for the following Indicators of Compromise (IOCs):

CVE-2026-12569 - IOCs

Monitor for the deployment of persistent JSP webshells into the Windchill login directory, enabling remote command execution and possible data exfiltration. See below for known Indicators of Compromise (IOCs), there could be others.

Network IOCs

Attacker Command & Control (C2) IP

IPv4 5.180.41.35 Block at perimeter

Known Webshell Paths

URL /Windchill/login/7c0a0a34c9d8d53b.jsp

URL /Windchill/login/46b158b8607a4c00.jsp

URL /Windchill/login/64652883d9de3299.jsp

URL /Windchill/login/56c9be44a436c4a2.jsp

URL /Windchill/login/4b57d0652345d383.jsp

URL /Windchill/login/ec6ba805a076e709.jsp

Hunt beyond the known list. The attacker names webshells using 16 lowercase hex characters. Search logs for any POST to /Windchill/login/[0-9a-f]{16}.jsp — new shells may be deployed at any time with different names.

Malicious Request Header

Header: X-windchill-req: ?x8Fmgow 
First character = command selector. No legitimate use in Windchill.

File IOCs

Recommended Actions

1. Block 5.180.41.35 at the perimeter firewall immediately.

2. Search HTTP access logs for any POST to /Windchill/login/*.jsp — legitimate Windchill traffic does not POST to this path.

3. Scan the filesystem for .jsp files matching the 16-hex-char pattern under .../Windchill/codebase/login/.

4. Hash-check any suspicious .jsp files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c.

5. Check for flst.txt in /tmp or the Windchill working directory — its presence confirms attacker file-listing activity.

6. Add WAF / IDS rule blocking any request containing the header X-windchill-req:.

7. Alert on large POST responses (multi-MB) originating from .jsp files in the Windchill application tier.

8. Restrict internet exposure of the Windchill login endpoint where operationally possible.

Detection Rule Sketches

SIEM / Log query

// Flag any POST to the hex-named JSP pattern

method = "POST"

AND uri_path MATCHES "^/Windchill/login/[0-9a-f]{16}\.jsp$"

WAF / IDS — header rule

// Block the custom C2 command header

request.headers contains "X-windchill-req"  →  DROP + ALERT

File integrity / EDR

path <WT_HOME>/codebase/login/*.jsp

sha256: 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c

Pre-attack recon detection (specific to FlexPLM)

// WSDL probe that precedes webshell deployment

method = "GET"

AND uri_path MATCHES "^/Windchill/rfa/jsp/login/.*\.jsp\?wsdl$"

AND response_bytes = 4045

If you have any questions about the IOCs, please open a technical support ticket.