Cyber Threat Brief — June 27 2026
⚠️ This report is AI-generated. Always validate findings.
1. PTC Windchill/FlexPLM Webshell Campaign — CVE-2026-12569
TL;DR: Unauthenticated RCE in PTC Windchill/FlexPLM (CVSS 9.3) is under active exploitation deploying persistent JSP webshells. CISA KEV added June 25; federal deadline TOMORROW June 28.
What’s New:
- CISA KEV addition June 25 — first PTC product on KEV; 3-day federal remediation deadline (June 28)
- Attackers deploying JSP webshells with 16-hex-char filenames under
/Windchill/codebase/login/ - Custom C2 header
X-windchill-req: ?x8Fmgow(first char = command selector) — no legitimate Windchill use - Targets: aerospace, defense, automotive, heavy machinery PLM deployments
- PTC advisory confirms “continued reports of heightened threat activity” as of June 25
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /Windchill/login/[0-9a-f]{16}.jsp | Webshell URI | T1505.003 | WAF / HTTP access logs | Block+Hunt |
X-windchill-req: ?x8Fmgow header | C2 channel | T1071.001 | WAF / reverse proxy | Block |
SHA-256 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c | Webshell hash | T1505.003 | EDR / FIM | Hunt |
/tmp/flst.txt or $WINDCHILL_HOME/flst.txt | Recon artifact | T1083 | FIM / filesystem audit | Hunt |
.jsp files matching [0-9a-f]{16}\.jsp under codebase/login/ | Webshell pattern | T1505.003 | FIM | Hunt |
| Windchill 11.0–13.1.3.0 / FlexPLM 11.0–13.0.3.0 | Vuln version | T1190 | Asset inventory | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for Windchill-specific webshell paths or X-windchill-req header |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes (partial) | Missing Windchill/Tomcat-specific context |
| Sigma | Webshell Detection via File Creation (generic) | No Windchill login path pattern |
Sources: CISA KEV Alert (June 25) · The Hacker News · PTC Advisory · SecurityWeek
2. DirtyClone Linux Kernel LPE — CVE-2026-43503
TL;DR: JFrog published a working exploit walkthrough June 25 for DirtyClone, a DirtyFrag-family page-cache corruption bug granting silent root on Linux v5.18–v7.1-rc6. High risk for multi-tenant cloud, Kubernetes, and containerized workloads.
What’s New:
- JFrog Security Research exploit walkthrough published June 25 — first public working demonstration
- Exploits
skb_clone()+ XFRM/IPsec crypto transform to corrupt shared file-backed page-cache memory - Overwrites cached
/bin/su(or any setuid binary) in memory to drop a root shell - Silent exploitation: no kernel logs, no audit traces, bypasses on-disk integrity monitoring
- Requires
CAP_NET_ADMIN— obtainable via unprivileged user namespaces on most distros
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
act_pedit / cls_flower / act_mirred kernel modules loaded | Exploit prereq | T1068 | Auditd / module load events | Detect |
CAP_NET_ADMIN acquired via user namespace | Priv technique | T1068 | Auditd SECCOMP / namespace events | Detect |
| XFRM SA creation by non-root process | Exploit step | T1068 | ip xfrm / Auditd netlink | Detect |
| Page-cache hash mismatch on setuid binaries | Post-exploit indicator | T1068 | FIM (compare runtime vs disk hash) | Hunt |
Kernel v5.18–v7.1-rc6 (commit 899ee91156e5 through fix) | Vuln version | T1068 | Asset inventory | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for page-cache corruption or DirtyFrag family |
| Elastic | None | No coverage for act_pedit abuse or user-namespace CAP_NET_ADMIN escalation |
| Sigma | None | No rule for DirtyClone/DirtyFrag exploitation patterns |
Sources: JFrog Security Research · The Hacker News · Red Hat RHSB-2026-008
Status Updates
- CVE-2026-20253 (Splunk Enterprise RCE): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Upgrade to 10.4.0/10.2.4/10.0.7. No ESCU rule for sidecar endpoint abuse. Original brief.
- CVE-2026-50656 (RoguePlanet/Windows Defender): Still UNPATCHED. No Microsoft timeline for fix. WDAC/AppLocker remains primary mitigation. Original brief.
- CVE-2026-4681 (PTC Windchill — Java deser): Still no patch. German police physical outreach continues. Today’s CVE-2026-12569 is a separate Windchill RCE. Original brief.
- CVE-2026-34908/34909/34910 (Ubiquiti UniFi OS): Federal deadline passed June 26. ITW exploitation ongoing. Patch to 5.0.8+. Original brief.