PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3. 

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically: 

• Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0  
• FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0  

Description

• The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
• CVE-2026-4681 has been reported
  • CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
  • Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
    • CVSS v3.1 Base Score: 10.0 (Critical)
    • CVSS v4 Base Score: 9.3 (Critical)
• At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps 

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include: 

For Apache HTTP Server 

1. Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.  
2. Add the following directive: 

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied 

• Ensure this file is the last in the configuration sequence and restart the Apache server.  

For Microsoft IIS 

1. Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.  
2. Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.  
3. Restart IIS using iisreset and confirm the rule is active in IIS Manager.  

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures. 

Additional Protection Measures 

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet. 

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise 

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability: 

Network and User-Agent Patterns 

• User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36  
• Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=  

File System Indicators 

• GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)  
• Any dpr_<8-hex-digits>.jsp file  
• Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents  

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution. 

Log and Error Patterns 

• Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception  

PTC strongly urges customers to report any identified

Log and Error Patterns 

• Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception  

• PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans. 

• This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.

• By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data

Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv