PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
Publish Date: 2026-03-24 19:04:00
Source Domain: www.bleepingcomputer.com
PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution.
The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data.
Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk.
Fix under development
There are no official patches available, but PTC states that it is “actively developing and releasing security patches for all supported Windchill versions” to address the issue.
According to the vendor, the flaw impacts most supported versions of Windchill and FlexPLM, including all critical patch sets (CPS) versions.
Until patches become available, system administrators are recommended to apply the vendor-provided Apache/IIS rule to deny access to the affected servlet path. PTC noted that the mitigation does not break functionality.
The same mitigation should be applied to all deployments, including Windchill, FlexPLM, and any file/replica servers, not just internet-facing systems. However, PTC advises prioritizing mitigations on internet-facing instances.
If mitigation is not possible, the vendor recommends temporarily disconnecting the affected instances from the internet or shutting down the service.
IoCs available
The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.
Additionally, the bulletin lists detection advice, including checks for webshells (GW.class, payload.bin, or dpr_.jsp files), suspicious requests with patterns such as run?p= / .jsp?c= combined with unusual User-Agent activity, errors referencing GW, GW_READY_OK, or unexpected gateway exceptions.
“Presence…
