Description
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote code execution vulnerability exists in PTC Windchill PDMlink and FlexPLM due to the deserialization of untrusted data. An attacker can cause the application to execute arbitrary code, potentially taking full control of the affected system and compromising confidentiality, integrity, and availability.

Affected Systems

The flaw affects all PTC FlexPLM and Windchill PDMlink releases before 11.0 M030, including all CPS versions. Users should verify if their installations are older than this release.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity and the EPSS score of less than 1% indicates a low but nonzero probability of exploitation. This vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, requiring an attacker to supply malicious serialized data to the vulnerable system over the network. Proper authentication or lack thereof is not specified, but the impact remains catastrophic if exploited.

Generated by OpenCVE AI on June 18, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PTC Windchill PDMlink and FlexPLM to version 11.0 M030 or later, applying any vendor-supplied patches.
  • Configure firewall or reverse proxy to restrict access to the endpoints that accept serialized data, limiting exposure to authenticated users only.
  • Enable logging and actively monitor for anomalous deserialization activity or suspicious patterns in incoming data.

Generated by OpenCVE AI on June 18, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Ptc
Ptc flexplm
Ptc windchill Pdmlink
Vendors & Products Ptc
Ptc flexplm
Ptc windchill Pdmlink

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Title Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Weaknesses CWE-20
CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red'}

Subscriptions

Ptc Flexplm Windchill Pdmlink
cve-icon MITRE

Status: PUBLISHED

Assigner: PTC

Published:

Updated: 2026-06-18T13:05:09.022Z

Reserved: 2026-06-18T00:02:58.904Z

Link: CVE-2026-12569

cve-icon Vulnrichment

Updated: 2026-06-18T13:04:55.974Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-502

    Deserialization of Untrusted Data