PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.
The vulnerability affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:
- Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
- FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0
The advisory stresses that all CPS versions before 11.0 M030 are also susceptible. PTC confirmed that, to date, there is no evidence of active exploitation affecting its customers, but the risk remains critical due to the nature of the Remote Code Execution threat.
Nature of the Windchill and FlexPLM Vulnerability
The reported vulnerability stems from improper handling of deserialized, untrusted data. Exploitation can allow an attacker to execute arbitrary code on affected systems, compromising security and potentially enabling full system takeover.
PTC highlighted that the vulnerability is particularly dangerous for publicly accessible Windchill and FlexPLM instances, though they advise applying mitigations to all deployments regardless of Internet exposure.
Immediate Mitigation Steps
PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:
For Apache HTTP Server
- Create a new configuration file named 90-app-Windchill-Auth.conf under
/conf/conf.d/ . - Add the following directive:
Require all denied
- Ensure this file is the last in the configuration sequence and restart the Apache server.
For Microsoft IIS
- Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
- Modify the web.config file to include the rewrite rule as the first tag in
. - Restart IIS using iisreset and confirm the rule is active in IIS Manager.
PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.
Additional Protection Measures
For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.
PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customers, the Apache workaround has already been implemented across all hosted environments.
Indicators of Compromise
Security teams are advised to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:
Network and User-Agent Patterns
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
- Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=
File System Indicators
- GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
- Any dpr_<8-hex-digits>.jsp file
- Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents
The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.
Log and Error Patterns
- Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception
PTC strongly urges customers to report any identified IOCs immediately and initiate internal security response plans. This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments. By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect sensitive data.
