Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability impacting PTC Windchill software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2026-12569, boasts a CVSS score of 9.3 and is associated with improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. To mitigate this vulnerability, users are advised to perform several actions, including blocking specific IP addresses and web shell files, searching HTTP access logs for suspicious requests, and scanning the filesystem for JSP files matching a specific naming pattern.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2026-12569, boasts a CVSS score of 9.3 and allows an attacker to execute arbitrary code by sending a malicious request to the network. Patches for the flaw were released last week, but unknown attackers are still exploiting the vulnerability to deploy JSP web shells against susceptible systems. Threat actors have been using IP addresses 172.111.38.31, 216.152.148.54, and others, as well as web shell files following a specific naming pattern, to launch attacks. To mitigate the vulnerability, users are advised to block specific IP addresses, search for suspicious HTTP requests, scan for JSP files, hash-check suspicious files, and restrict internet exposure of the Windchill login endpoint.
The cybersecurity landscape has witnessed another alarming development, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This latest addition serves as a stark reminder of the ever-evolving threat environment, where newly disclosed vulnerabilities are being rapidly weaponized by threat actors.
The vulnerability in question is CVE-2026-12569, boasting a CVSS score of 9.3. It represents a critical case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. The vulnerability's impact extends beyond mere data breaches, as it paves the way for deserialization of untrusted data, thereby facilitating remote code execution (RCE) attacks.
According to PTC, patches for the flaw were released last week. However, the company has since confirmed that "we've received continued reports of heightened threat activity," with PTC disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems. This development underscores the pressing need for swift patch implementation and robust security measures to prevent such exploitation.
The indicators of compromise (IoCs) associated with the activity, as released by PTC, provide a valuable insight into the tactics employed by threat actors. These IoCs include IP addresses (172.111.38.31, 216.152.148.54, 104.243.35.131, 74.50.76.146, and 5.180.41.35) and web shell files following a specific naming pattern (/Windchill/login/[0-9a-f]{16}.jsp). By understanding these IoCs, security professionals can enhance their vigilance and take proactive measures to safeguard against the deployment of JSP web shells.
To mitigate this vulnerability, users are advised to perform several actions. First and foremost, it is recommended that they block the IP address 5.180.41.35 at the perimeter firewall immediately. Furthermore, search HTTP access logs for any POST requests to /Windchill/login/*.jsp, scan the filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}.jsp, and hash-check any suspicious JSP files against a specific hash value (55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c). Additionally, check for the presence of flst.txt in /tmp or the Windchill working directory to confirm attacker file-listing activity. Moreover, add a WAF/IDS rule blocking any request containing the header X-windchill-req, and restrict internet exposure of the Windchill login endpoint where operationally possible.
This vulnerability's addition to CISA's KEV catalog marks a significant milestone in the agency's efforts to provide timely warnings about exploited vulnerabilities. The fact that this is the first-ever PTC product vulnerability added to CISA's KEV catalog underscores the severity and far-reaching impact of the vulnerability. Moreover, the rapid deployment of web shells by threat actors highlights the urgent need for organizations to adopt swift patch implementation strategies and robust security measures.
In conclusion, the recent addition of CVE-2026-12569 to CISA's KEV catalog serves as a stark reminder of the evolving threat landscape and the importance of proactive cybersecurity measures. As threat actors continue to rapidly weaponize newly disclosed vulnerabilities, it is essential for organizations to prioritize swift patch implementation, robust security measures, and enhanced vigilance to prevent such exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Exploited-PTC-Windchill-RCE-Flaw-to-KEV-as-Web-Shell-Attacks-Continue-ehn.shtml
https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
https://www.anavem.com/en/news/cybersecurity/cisa-flags-critical-ptc-windchill-rce-flaw-cve-2026-12569
Published: Fri Jun 26 08:57:53 2026 by llama3.2 3B Q4_K_M
