CVE-2026-12569 is a CISA KEV-listed critical (CVSS 9.5) Java deserialization RCE in PTC Windchill PDMLink and FlexPLM, with confirmed active exploitation and JSP web shells discovered on compromised systems including instances where patches have been applied. Any organization running these product lifecycle management platforms must assume pre-patch compromise is possible and conduct a web shell hunt regardless of patch status.