A high‑severity remote code execution flaw (CVSS 4.0) affects PTC Windchill PDMlink and FlexPLM up to version 11.0m030, now listed in CISA’s KEV catalog.
A critical remote code execution vulnerability (CVE-2026-12569) has been disclosed in PTC Windchill PDMlink and PTC FlexPLM, affecting installations up to version 11.0m030. The flaw, rated CVSS:4.0/AV:N/AC:L/AT:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U, is now listed in CISA’s Known Exploited Vulnerabilities Catalog.
The vulnerability is classified as critical, with a CVSS vector indicating network‑accessible, low‑complexity exploitation and high impact across confidentiality, integrity, and availability. It has been added to CISA’s KEV catalog, signaling active targeting.
The issue stems from improper input validation in the PDMlink service component of Windchill, allowing an unauthenticated attacker to trigger arbitrary code execution. The affected components include PTC Windchill PDMlink and PTC FlexPLM, with vulnerable versions extending through 11.0m030. Specific CPE identifiers such as cpe:2.3:a:ptc:flexplm:11.0m030::::::: and cpe:2.3:a:ptc:flexplm:11.2.1.0::::::: map to the vulnerable releases. The flaw is also associated with CWE‑20 (Improper Input Validation) and CWE‑502 (Deserialization of Untrusted Data). The CVSS:3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H further emphasizes the severity.
Practitioners can determine exposure by querying the installed version via the PTC software inventory tool and comparing against the vulnerable version range. The following CPE patterns indicate affected installations: cpe:2.3:a:ptc:flexplm:11.0m030::::::: and cpe:2.3:a:ptc:flexplm:11.2.1.0:::::::. No public exploit code or command‑line payloads have been released; however, the vulnerability enables remote code execution through crafted network requests to the PDMlink endpoint.
Mitigation requires applying the vendor‑issued patch released in PTC’s advisory CS473270. The patch updates the PDMlink service to a non‑vulnerable version (11.0m030‑patch1 or later). Administrators should verify the patch level using the PTC version command, restart the PDMlink service, and confirm that the version string no longer matches the vulnerable pattern. Additional hardening steps include disabling external access to the PDMlink service where possible and monitoring for anomalous traffic patterns.
Read the full original article:
Original SourceAdditional reference: NIST National Vulnerability Database.