Summary

A critical Remote Code Execution (RCE) vulnerability, CVE-2026-4681, has been reported in Windchill and FlexPLM. The issue stems from unsafe deserialization of untrusted data, allowing an attacker to execute arbitrary code remotely. CVSS v3.1 rates this vulnerability as 10.0 (Critical). No confirmed exploitation has been observed so far, but publicly accessible systems are at high risk.

Affected Systems and/or Applications

The following Windchill PDMLink and FlexPLM versions are affected:

• Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
• FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Systems running releases prior to 11.0 M030 are also impacted and may require altered workarounds.
All environments, whether Internet-facing or internal, should apply mitigations.

Technical Details

The vulnerability is caused by unsafe deserialization of untrusted data, enabling attackers to submit crafted payloads that execute arbitrary code with Windchill/FlexPLM service privileges.

Attack Vector

• Exploitation occurs via HTTP requests targeting:  
     
  • /servlet/WindchillGW/com.ptc.wvs.server.publish.Publish
     
  • /servlet/WindchillAuthGW/com.ptc.wvs.server.publish.Publish
   
• Common payload patterns include: run?p=, .jsp?p=, run?c=, .jsp?c=

Indicators of Compromise (IOCs)

Network / User-Agent:

• Requests using:
  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36

File System Artifacts:

• Malicious .class and .jsp files such as:  
     
  • GW.class, payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
     
  • Random JSP: dpr_<8-hex-digits>.jsp
     
  • Other class files: Gen.class, HTTPRequest.class, WTContextUpdate.class
   

Logs:

• Error messages referencing GW_READY_OK
• ClassNotFoundException for GW
• Windchill Error / HTTP Gateway Exception

Functional Implications

Successful exploitation allows full remote code execution, enabling attackers to modify data, deploy malware, or pivot further inside the network.

Mitigation

Immediate Actions

1. Protect public-facing systems immediately.
2. Apply temporary workarounds as needed.

Apache HTTP Server Workaround

Create file:

>APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf`  

Add:

apache
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

Restart Apache (`apachectl stop && apachectl start` on Linux, or via Services on Windows).

IIS Workaround

Edit <WT_HOME>\web.config:

<rewrite>
  <rules>
    <rule name="Block Windchill Publish Servlet" stopProcessing="true">
      <match url="^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(;[^/]*)?/.*$" ignoreCase="true" />
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access Denied" />
    </rule>
  </rules>
</rewrite>

Restart IIS.

Additional Protective Measures

• Shut down Windchill/FlexPLM services if patching is not immediate.
• Disconnect Internet exposure.
• Monitor logs, traffic, and file systems.
• Contact PTC support if suspicious activity is detected.

Once applied, mitigations should not impact system functionality. Patches will be released by PTC for all supported versions.

What the Cyber Fusion Center is Doing

The CFC is monitoring developments and will update this advisory as needed.

References

• Notice of Windchill and FlexPLM Critical Vulnerability, March 20, 2026 – EAC Product Development Solutions
• Windchill & FlexPLM Critical Vulnerability Updates and Remediation | March 2026 | PTC

‍