preloader

· security digital-security cve manufacturing industrial europe vulnerability supply-chain enterprise belgium

Belgium’s Cyber Centre Tells Manufacturers to Patch PTC Windchill Now as Webshell Attacks Continue

Source: Centre for Cybersecurity Belgium (CCB)

The Centre for Cybersecurity Belgium has issued a direct warning to organisations running PTC’s Windchill and FlexPLM product lifecycle management software: patch immediately. The advisory follows confirmation from CISA that CVE-2026-12569, a critical remote code execution flaw, is being actively exploited in the wild, with attackers dropping web shells on compromised servers to maintain persistent access.

What the flaw actually is

CVE-2026-12569 carries a CVSS score of 9.3 and stems from unsafe deserialization of untrusted data combined with improper input validation. A remote, unauthenticated attacker can send a specially crafted request to the application server and execute arbitrary code, no credentials and no user interaction required. Exploitation complexity is low, which is exactly the profile that supports automated, internet-wide scanning and exploitation rather than a targeted, hands-on-keyboard attack. The flaw affects all CPS versions along with Windchill and FlexPLM releases prior to 11.0 M030.

Webshells are already on compromised systems

CISA added CVE-2026-12569 to its Known Exploited Vulnerabilities catalog on 25 June after confirming exploitation, and the situation has continued to develop since. PTC and independent researchers have observed attackers deploying JavaServer Pages (JSP) web shells on unpatched Windchill and FlexPLM instances, giving them ongoing command execution and a foothold for data exfiltration long after the initial compromise. PTC has published indicators of compromise and is updating its advisory as new attacker activity is identified, which itself signals that exploitation is continuing rather than winding down.

Why this is a manufacturing supply chain problem

Windchill and FlexPLM are not niche tools. They sit at the centre of product design, engineering change management, and manufacturing planning for automotive, aerospace, defence, and heavy machinery organisations, many of which run their entire product data backbone through this software. Europe’s automotive and aerospace sectors, concentrated in Germany, France, and Italy, depend heavily on exactly this category of PLM platform to coordinate design data across manufacturers and their supplier networks.

A compromised Windchill instance is not just a single-company incident. Product lifecycle data routinely includes proprietary engineering designs, supplier specifications, and manufacturing process details shared across a multi-tier supply chain. An attacker with a persistent webshell on that system has a plausible path to intellectual property theft, industrial espionage, or a foothold for further lateral movement into operational technology environments, an outcome regulators increasingly expect critical manufacturers to prevent under NIS2’s supply chain risk provisions.

What we recommend

  • Identify every Windchill and FlexPLM instance in your environment, including systems managed by suppliers or engineering contractors on your behalf
  • Apply PTC’s patch under advisory CS473270 immediately, prioritising any instance reachable from the internet
  • Check systems against PTC’s published indicators of compromise for signs of existing webshell deployment, since patching alone does not remove an implant already placed on a compromised server
  • Review network segmentation between PLM systems and both IT and OT environments, given the sensitivity of the data these platforms typically hold
  • Treat this as a supplier risk question as well as an internal one, and confirm that any vendor or engineering partner with Windchill access has patched their own environment

If your organisation relies on PTC Windchill, FlexPLM, or similar industrial software and needs help auditing exposure, verifying patch coverage across a supplier network, or assessing whether your NIS2 supply chain obligations are actually met, contact Excello Digital. We help European manufacturers and their engineering partners turn active exploitation warnings into a patched, verified environment.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!