CVE-2026-4681
published 2026-03-23CVE-2026-4681: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the…
PriorityP267critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUYRUVCREMURed
EPSS
0.67%
47.4th percentile
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | flexplm | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
| ptc | windchill_pdmlink | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check for presence of webshell files GW.class, payload.bin, or dpr_.jsp on the Windchill/FlexPLM server filesystem — their presence indicates attacker weaponization prior to RCE. ↗
- →Hunt for suspicious HTTP requests containing URL patterns run?p= or .jsp?c= combined with unusual User-Agent strings in web server logs. ↗
- →Monitor application and server logs for errors or strings referencing GW, GW_READY_OK, or unexpected gateway exceptions as indicators of exploitation activity. ↗
- ·Mitigation requires applying Apache/IIS server rules to deny access to the affected servlet path; the same mitigation must be applied to ALL deployments (Windchill, FlexPLM, file/replica servers), not only internet-facing systems — though internet-facing instances should be prioritized. ↗
- ·For Windchill releases prior to 11.0 M030, the standard workaround steps may need to be altered as those releases are unsupported. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jfrx-fmg3-3p8m: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM
ghsa_unreviewed·2026-03-24
CVE-2026-4681 [CRITICAL] CWE-94 GHSA-jfrx-fmg3-3p8m: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
CISA ICS
PTC Windchill Product Lifecycle Management
cisa_ics·2026-03-26·CVSS 9.3
[CRITICAL] PTC Windchill Product Lifecycle Management
ICS Advisory
##
PTC Windchill Product Lifecycle Management
Release DateMarch 26, 2026
Alert CodeICSA-26-085-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.
The following versions of PTC Windchill Product Lifecycle Management are affected:
- Windchill PDMLink 11.0_M030 (CVE-2026-4681)
- Windchill PDMLink 11.1_M020 (CVE-2026-4681)
- Windchill PDMLink 11.2.1.0 (CVE-2026-4681)
- Windchill PDMLink 12.0.2.0 (CVE-2026-4681)
- Windchill PDMLink 12.1.2.0 (CVE-2026-4681)
- Windchill PDMLink 13.0.2.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.0.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.1.0 (CVE-2026
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
blogs_hackernews·2026-03-30·CVSS 9.3
[CRITICAL] ⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention.
There's a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring until you see what it connects to.
All of it below. Let's go.
## ⚡ Threat of the Week
Citrix Flaw Comes Under Active Exploitation — A cr
Bleepingcomputer
PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
blogs_bleepingcomputer·2026-03-24·CVSS 9.3
CVE-2026-4681 [CRITICAL] PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
## PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
## Bill Toulas
PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution.
The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data.
Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk.
## Fix under development
There are no official patches available, but PTC states that it is “actively developing and releasing security patches for all supported Windchill versions” to address the issue.
According to the vendor, the
2026-03-23
Published