PTC has issued an emergency notification warning customers of "credible evidence of an imminent threat" to exploit a critical remote code execution vulnerability in its widely deployed Windchill and FlexPLM product lifecycle management (PLM) platforms. The flaw, CVE-2026-4681, carries a perfect CVSS score of 10.0 and stems from unsafe deserialization of untrusted data.
The Vulnerability: CVE-2026-4681
At its core, the vulnerability allows an unauthenticated remote attacker to submit a crafted payload to a Windchill or FlexPLM server that, when deserialized, executes arbitrary code under the application's service account context. No prior authentication is required.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4681 |
| CVSS v3.1 | 10.0 (Critical) |
| CWE | CWE-94 — Code Injection |
| Authentication | None required |
| Attack Vector | Network |
| Patch | Under active development |
The affected PTC advisory lists detection indicators including webshell artefacts — GW.class, payload.bin, or dpr_<random>.jsp files — as well as suspicious HTTP request patterns containing run?p= or .jsp?c= combined with unusual User-Agent strings. Errors referencing GW, GW_READY_OK, or unexpected gateway exceptions may also indicate prior exploitation.
Affected Versions
A wide range of Windchill PDMLink and FlexPLM versions are confirmed vulnerable:
| Product | Affected Versions |
|---|---|
| Windchill PDMLink | 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0 |
| FlexPLM | 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0 |
Deployments running releases prior to 11.0 M030 are also impacted and may require customised workarounds due to differences in the available mitigation paths.
German Federal Police Mobilise
In an extraordinary response that underscores the severity of the threat, Germany's Bundeskriminalamt (BKA) dispatched officers across the country over the weekend to personally notify organisations of the risk posed by CVE-2026-4681 — including some companies that did not use any of the affected products. Officers reportedly contacted system administrators in the early morning hours and alerted state criminal investigation offices (LKA) in multiple federal states. This level of law enforcement mobilisation for a software vulnerability is rare and signals that authorities believe exploitation is imminent or already underway in limited scope.
PTC Cloud Customers Already Mitigated
PTC confirmed that for PTC Cloud Hosted Customers, the Apache HTTP Server configuration workaround has already been applied to all hosted Windchill and FlexPLM systems. Self-hosted deployments remain the primary concern.
Mitigations and Interim Workarounds
While official patches are under active development, PTC recommends the following immediate mitigations for all affected deployments:
-
Apply the Apache/IIS servlet path restriction rule provided by PTC to deny access to the vulnerable servlet path. This applies to Windchill, FlexPLM, and all file/replica servers — not only internet-facing systems, as internal networks are not considered a safe boundary.
-
Prioritise internet-facing deployments for immediate mitigation, but do not delay internal-only instances.
-
If mitigation cannot be applied, PTC advises either temporarily disconnecting the affected instances from the network or fully shutting down the service until the patch is available.
-
Inspect for indicators of compromise using the artefact and log patterns published in PTC's advisory before applying mitigations, to determine if exploitation may have already occurred.
PTC has also extended 24x7 support access to all customers at all support tier levels specifically for issues relating to this vulnerability.
Why PLM Systems Are High-Value Targets
Windchill and FlexPLM are used by manufacturers, aerospace, defence, automotive, and life sciences organisations to manage product design data, engineering bills of materials, and supply chain collaboration. A successful compromise provides access to sensitive intellectual property — including product schematics, manufacturing specifications, and supplier relationships — making these platforms attractive targets for state-sponsored espionage campaigns in addition to ransomware operators.
What Organisations Should Do Now
Security teams managing Windchill or FlexPLM installations should treat this as a P0 emergency:
- Apply PTC's Apache/IIS servlet restriction rule immediately on all instances
- Scan systems for the webshell artefacts and suspicious log patterns listed in the advisory
- Isolate internet-facing Windchill/FlexPLM deployments at the network perimeter until patched
- Monitor PTC's advisory portal for patch availability and apply updates as soon as they are released
- Engage PTC support (24x7 access granted) for deployment-specific guidance