Security

Urgent Alert: Windchill and FlexPLM Vulnerability Poses Imminent Risk, PTC Urges Immediate Action

Published

2 hours ago

March 25, 2026

PTC Inc. has issued a warning regarding a severe vulnerability in Windchill and FlexPLM, two widely utilized product lifecycle management (PLM) solutions, that could potentially lead to remote code execution.

The identified security flaw, known as CVE-2026-4681, could be exploited through the deserialization of trusted data.

The seriousness of this vulnerability has prompted urgent action from German authorities, with reports indicating that the federal police (BKA) have dispatched agents to notify affected companies about the cybersecurity threat.

Development of a Solution in Progress

While official patches are not yet available, PTC has stated that they are actively working on developing and releasing security patches for all supported versions of Windchill to address this issue.

According to the vendor, the vulnerability affects most supported versions of Windchill and FlexPLM, including all critical patch sets (CPS) versions.

Until the patches are released, system administrators are advised to implement the Apache/IIS rule provided by the vendor to block access to the affected servlet path. PTC has assured that this mitigation will not impact functionality.

This mitigation should be applied across all deployments, including Windchill, FlexPLM, and any file/replica servers, not just those accessible via the internet. However, PTC recommends giving priority to mitigating actions on internet-facing instances.

If applying the mitigation is not feasible, the vendor suggests temporarily disconnecting the affected instances from the internet or shutting down the service.

Indicators of Compromise (IoCs) Available

While PTC has not observed any exploitation of the vulnerability against its customers, they have published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

Furthermore, the bulletin provides guidance on detecting potential threats, such as checking for webshells (GW.class, payload.bin, or dpr_<random>.jsp files) and suspicious requests with patterns like run?p= / .jsp?c= combined with unusual User-Agent activity, errors referring to GW, GW_READY_OK, or unexpected gateway exceptions.

“Presence of the GW.class or dpr_<8-hex-digits>.jsp on the Windchill server indicates the attacker has completed weaponization on the system prior to conducting remote code execution (RCE)” – PTC

In an email sent to customers, PTC mentioned that “there is credible evidence of an imminent threat by a third-party group to exploit the vulnerability.”

According to reports from Heise, BKA officers took urgent action over the weekend to warn companies nationwide about the risks associated with CVE-2026-4681, even those not utilizing the affected products.

Heise also reported that BKA officials woke up system administrators in the middle of the night to deliver a copy of PTC’s notification and informed state criminal investigation offices (LKA) in various federal states.

This swift and unusual response from the authorities has raised concerns that CVE-2026-4681 may be or is likely to be exploited in the near future.

Given that PLM systems are used by engineering firms in critical sectors such as weapons system design, industrial manufacturing, and crucial supply chains, the authorities’ proactive measures may be justified in safeguarding against industrial espionage and other national security risks.