cbcvebase.
CVE-2026-4681
published 2026-03-23

CVE-2026-4681: A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the…

PriorityP267critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUYRUVCREMURed
EPSS
0.67%
47.4th percentile
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

Affected

20 ranges
VendorProductVersion rangeFixed in
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcflexplm
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink
ptcwindchill_pdmlink

Detection & IOCsextracted from sources · hover to see the quote

filenameGW.class
filenamepayload.bin
filenamedpr_.jsp
commandrun?p=
command.jsp?c=
  • Check for presence of webshell files GW.class, payload.bin, or dpr_.jsp on the Windchill/FlexPLM server filesystem — their presence indicates attacker weaponization prior to RCE.
  • Hunt for suspicious HTTP requests containing URL patterns run?p= or .jsp?c= combined with unusual User-Agent strings in web server logs.
  • Monitor application and server logs for errors or strings referencing GW, GW_READY_OK, or unexpected gateway exceptions as indicators of exploitation activity.
  • ·Mitigation requires applying Apache/IIS server rules to deny access to the affected servlet path; the same mitigation must be applied to ALL deployments (Windchill, FlexPLM, file/replica servers), not only internet-facing systems — though internet-facing instances should be prioritized.
  • ·For Windchill releases prior to 11.0 M030, the standard workaround steps may need to be altered as those releases are unsupported.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.