CVE-2026-12569 - Vulnerability Details - OpenCVE

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00499.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.ptc.com/en/support/article/CS473270

History

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Title		Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Weaknesses		CWE-20 CWE-502
References		https://www.ptc.com/en/support/article/CS473270
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red'}`

MITRE

Status: PUBLISHED

Assigner: PTC

Published: 2026-06-18T00:11:35.241Z

Updated: 2026-06-18T13:05:09.022Z

Reserved: 2026-06-18T00:02:58.904Z

Link: CVE-2026-12569

Vulnrichment

Updated: 2026-06-18T13:04:55.974Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12569", "assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e", "state": "PUBLISHED", "assignerShortName": "PTC", "dateReserved": "2026-06-18T00:02:58.904Z", "datePublished": "2026-06-18T00:11:35.241Z", "dateUpdated": "2026-06-18T13:05:09.022Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e", "shortName": "PTC", "dateUpdated": "2026-06-18T00:11:35.241Z"}, "title": "Remote Code Execution (RCE) vulnerability in Windchill PDMlink", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}, {"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "PTC", "product": "Windchill PDMLink", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "11.0 M030", "versionType": "semver"}, {"status": "affected", "version": "11.1 M020"}, {"status": "affected", "version": "11.2.1.0"}, {"status": "affected", "version": "12.0.2.0"}, {"status": "affected", "version": "12.1.2.0"}, {"status": "affected", "version": "13.0.2.0"}, {"status": "affected", "version": "13.1.0.0"}, {"status": "affected", "version": "13.1.1.0"}, {"status": "affected", "version": "13.1.2.0"}, {"status": "affected", "version": "13.1.3.0"}], "defaultStatus": "unaffected"}, {"vendor": "PTC", "product": "FlexPLM", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "11.0 M030", "versionType": "semver"}, {"status": "affected", "version": "11.1 M020"}, {"status": "affected", "version": "11.2.1.0"}, {"status": "affected", "version": "12.0.0.0"}, {"status": "affected", "version": "12.0.2.0"}, {"status": "affected", "version": "12.1.2.0"}, {"status": "affected", "version": "12.1.3.0"}, {"status": "affected", "version": "13.0.2.0"}, {"status": "affected", "version": "13.0.3.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u00a0 * This advisory also applies to all CPS versions\n * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. <div><ul><li>This advisory also applies to all CPS versions</li><li>The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030</li></ul></div>"}]}], "references": [{"url": "https://www.ptc.com/en/support/article/CS473270", "tags": ["vendor-advisory", "mitigation", "permissions-required"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-18T13:04:49.552005Z", "id": "CVE-2026-12569", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T13:05:09.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12569", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-18T13:04:49.552005Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T13:04:55.974Z"}}], "cna": {"title": "Remote Code Execution (RCE) vulnerability in Windchill PDMlink", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}, {"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 9.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PTC", "product": "Windchill PDMLink", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "11.0 M030"}, {"status": "affected", "version": "11.1 M020"}, {"status": "affected", "version": "11.2.1.0"}, {"status": "affected", "version": "12.0.2.0"}, {"status": "affected", "version": "12.1.2.0"}, {"status": "affected", "version": "13.0.2.0"}, {"status": "affected", "version": "13.1.0.0"}, {"status": "affected", "version": "13.1.1.0"}, {"status": "affected", "version": "13.1.2.0"}, {"status": "affected", "version": "13.1.3.0"}], "defaultStatus": "unaffected"}, {"vendor": "PTC", "product": "FlexPLM", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "11.0 M030"}, {"status": "affected", "version": "11.1 M020"}, {"status": "affected", "version": "11.2.1.0"}, {"status": "affected", "version": "12.0.0.0"}, {"status": "affected", "version": "12.0.2.0"}, {"status": "affected", "version": "12.1.2.0"}, {"status": "affected", "version": "12.1.3.0"}, {"status": "affected", "version": "13.0.2.0"}, {"status": "affected", "version": "13.0.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ptc.com/en/support/article/CS473270", "tags": ["vendor-advisory", "mitigation", "permissions-required"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u00a0 * This advisory also applies to all CPS versions\n * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030", "supportingMedia": [{"type": "text/html", "value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. <div><ul><li>This advisory also applies to all CPS versions</li><li>The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030</li></ul></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper input validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data"}]}], "providerMetadata": {"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e", "shortName": "PTC", "dateUpdated": "2026-06-18T00:11:35.241Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12569", "state": "PUBLISHED", "dateUpdated": "2026-06-18T13:05:09.022Z", "dateReserved": "2026-06-18T00:02:58.904Z", "assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e", "datePublished": "2026-06-18T00:11:35.241Z", "assignerShortName": "PTC"}, "dataVersion": "5.2"}