Emerging ThreatsMalware & Ransomware

CISA Flags Exploited PTC Windchill Flaw Amid Web Shell Attacks

Analyst 207||Source: TheHackerNews
Industrial control systems and server equipment in a brightly-lit manufacturing setting.

"we've received continued reports of heightened threat activity," PTC said on June 25, confirming that unknown attackers are exploiting a newly disclosed remote code execution flaw to drop JSP web shells on exposed systems.

CVE-2026-12569: the flaw, its score, and the attack vector

The vulnerability at the center of the alert is CVE-2026-12569, a high-severity improper input validation bug in PTC Windchill PDMlink and PTC FlexPLM enterprise PDM and PLM software. The issue carries a CVSS score of 9.3 and, according to reporting, "could allow an attacker to execute arbitrary code by sending a malicious request to the network." PTC's advisory describes it as "a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data."

PTC released patches for the flaw last week, but the vendor and CISA both flag active exploitation despite the availability of fixes.

Indicators of Compromise (IoCs) observed in active attacks

PTC has published a set of IoCs tied to the activity. The list provided in the advisory includes specific addresses and file patterns security teams should hunt for immediately:

  • 172.111.38.31
  • 216.152.148.54
  • 104.243.35.131
  • 74.50.76.146
  • 5.180.41.35
  • 216.152.148.54
  • 5.180.41.35 (Attacker command-and-control address)
  • Web shell files following the naming pattern /Windchill/login/[0-9a-f]{{16}}.jsp

Immediate mitigations PTC and CISA recommend

Both the vendor advisory and CISA's KEV entry list concrete, actionable steps for defenders. Organizations running affected products are advised to:

  • Block 5.180.41.35 at the perimeter firewall immediately
  • Search HTTP access logs for any POST requests to /Windchill/login/*.jsp
  • Scan the filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{{16}}.jsp
  • Hash-check any suspicious JSP files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c
  • Check for flst.txt in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity
  • Add WAF / IDS rule blocking any request containing the header X-windchill-req:
  • Restrict internet exposure of the Windchill login endpoint where operationally possible

CISA's KEV listing and the catalog milestone

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-12569 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The listing makes this the first-ever PTC product vulnerability included in the KEV catalog. CISA's decision signals the agency's assessment that the flaw is being used in the wild and merits prioritized attention from defenders.

What this means for technologists, PTC customers, and web-shell operators

Technologists and security teams: The advisory lists precise logging and filesystem checks — searching for POSTs to /Windchill/login/*.jsp, scanning for the 16-hex JSP pattern, and hash-checking suspect files — so incident triage should begin with those searches and immediate perimeter blocks (notably 5.180.41.35).

PTC customers and IT leaders: Patches were released last week, and customers face a short window to apply updates and to reduce internet exposure of the Windchill login endpoint. PTC's confirmation of "heightened threat activity" as of June 25 underlines that patching alone may not stop attackers already present.

Web-shell operators and attackers: PTC reports that unknown actors are exploiting the deserialization RCE to deploy JSP web shells, using consistent filename patterns and at least one command-and-control IP (5.180.41.35). The appearance of flst.txt in temporary or working directories is cited as a clear marker of post-compromise file-listing activity.

PTC's published IoCs and mitigations, and CISA's KEV designation, close the loop between disclosure and defensive action: patches exist, but indicators show adversaries are weaponizing the flaw in real time. Organizations running Windchill PDMlink or FlexPLM should assume compromise is possible until logs, filesystems and network defenses are checked against the IOCs and patches are applied.

Original story

Emerging ThreatsIndustrial Control SystemsNation-StateRemote Code ExecutionSupply ChainExploited VulnerabilityWeb ShellCVE-2026-12569PTC Windchill
Related Intelligence

Continue Reading

Software development workspace with laptop, screens, and tools, hinting at network infrastructure.

Miasma Malware Poisons Over 20 npm Packages

In a lightning-fast attack, hackers poisoned over 20 npm packages with Miasma malware, completing the coordinated operation in under three seconds. The attackers compromised an npm maintainer account to publish tainted updates to popular packages.

Analyst 207
Close-up of Linux workstation with terminal code and peripherals in a software development workspace.

Linux Kernel Flaw Enables Unprivileged Root Access

A shocking Linux kernel flaw, dubbed pedit COW, allows unprivileged users to gain root access on vulnerable hosts by cleverly corrupting an in-memory cached copy of a setuid binary. This stealthy exploit requires no disk changes, making it nearly undetectable.

Analyst 207
Developer workstation with laptop and subtle signs of supply chain breach.

Miasma Malware Targets npm, GitHub in Expanded Supply Chain Attack

Over 550 GitHub repositories have been compromised in a massive supply-chain attack, with malware harvesting developer credentials and spreading across package registries and workflows. The attack has already infected numerous npm packages and one Go module, putting developer data at risk.

Analyst 207
Southeast Asian cityscape with industrial control system hinted in background.

China-Linked Hackers Deploy TinyRCT Backdoor in Southeast Asian Infrastructure Attacks

For years, a stealthy China-linked hacking group has been quietly targeting critical infrastructure in Southeast Asia, with a clear strategic interest in disrupting or monitoring key regional industries. Their sophisticated attacks have zeroed in on state-owned energy and government sectors, using a potent tool called the TinyRCT backdoor.

Analyst 207