PTC Windchill Vulnerability Allows Remote Code Execution
Summary
CISA issued an advisory regarding a critical remote code execution vulnerability (CVE-2026-4681) affecting multiple versions of PTC Windchill and FlexPLM. Successful exploitation could allow an attacker to gain control of affected systems.
What changed
CISA has issued an advisory (ICSA-26-085-03) detailing a critical vulnerability (CVE-2026-4681) in PTC Windchill and FlexPLM software. The vulnerability, identified as Improper Control of Generation of Code ('Code Injection'), allows for remote code execution if exploited through the deserialization of untrusted data. Numerous versions of Windchill PDMLink and FlexPLM are affected, impacting deployments worldwide within the Critical Manufacturing sector.
Organizations utilizing the affected PTC products must take immediate action. While PTC is developing a fix, CISA recommends applying a specific workaround involving Apache and IIS HTTP Server configuration updates to protect publicly accessible systems and all deployments. Failure to implement these mitigations could lead to unauthorized remote code execution and compromise of industrial control systems.
What to do next
- Apply recommended Apache and IIS HTTP Server configuration updates immediately.
- Protect any publicly accessible Windchill systems.
- Apply mitigation steps to all Windchill and FlexPLM deployments, regardless of internet exposure.
Source document (simplified)
ICS Advisory
PTC Windchill Product Lifecycle Management
Release Date
March 26, 2026
Alert Code ICSA-26-085-03 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF
Summary
Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.
The following versions of PTC Windchill Product Lifecycle Management are affected:
- Windchill PDMLink 11.0_M030 (CVE-2026-4681)
- Windchill PDMLink 11.1_M020 (CVE-2026-4681)
- Windchill PDMLink 11.2.1.0 (CVE-2026-4681)
- Windchill PDMLink 12.0.2.0 (CVE-2026-4681)
- Windchill PDMLink 12.1.2.0 (CVE-2026-4681)
- Windchill PDMLink 13.0.2.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.0.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.1.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.2.0 (CVE-2026-4681)
- Windchill PDMLink 13.1.3.0 (CVE-2026-4681)
- FlexPLM 11.0_M030 (CVE-2026-4681)
- FlexPLM 11.1_M020 (CVE-2026-4681)
- FlexPLM 11.2.1.0 (CVE-2026-4681)
- FlexPLM 12.0.0.0 (CVE-2026-4681)
- FlexPLM 12.0.2.0 (CVE-2026-4681)
- FlexPLM 12.0.3.0 (CVE-2026-4681)
- FlexPLM 12.1.2.0 (CVE-2026-4681)
- FlexPLM 12.1.3.0 (CVE-2026-4681)
- FlexPLM 13.0.2.0 (CVE-2026-4681)
- FlexPLM 13.0.3.0 (CVE-2026-4681)
| CVSS | Vendor | Equipment | Vulnerabilities |
| --- | --- | --- | --- |
| v3 10 | PTC | PTC Windchill Product Lifecycle Management | Improper Control of Generation of Code ('Code Injection') |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-4681
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
Affected Products
PTC Windchill Product Lifecycle Management
Vendor:
PTC Product Version:
PTC Windchill PDMLink: 11.0M030, PTC Windchill PDMLink: 11.1M020, PTC Windchill PDMLink: 11.2.1.0, PTC Windchill PDMLink: 12.0.2.0, PTC Windchill PDMLink: 12.1.2.0, PTC Windchill PDMLink: 13.0.2.0, PTC Windchill PDMLink: 13.1.0.0, PTC Windchill PDMLink: 13.1.1.0, PTC Windchill PDMLink: 13.1.2.0, PTC Windchill PDMLink: 13.1.3.0, PTC FlexPLM: 11.0M030, PTC FlexPLM: 11.1M020, PTC FlexPLM: 11.2.1.0, PTC FlexPLM: 12.0.0.0, PTC FlexPLM: 12.0.2.0, PTC FlexPLM: 12.0.3.0, PTC FlexPLM: 12.1.2.0, PTC FlexPLM: 12.1.3.0, PTC FlexPLM: 13.0.2.0, PTC FlexPLM: 13.0.3.0 Product Status:
known_affected
Remediations
Mitigation
PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems
Vendor fix
While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure
Vendor fix
Apply the same precautions to FlexPLM deployments
Vendor fix
The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps
Mitigation
Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps
Mitigation
Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
Mitigation
For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases
Mitigation
For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
Mitigation
If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Acknowledgments
- An anonymous source reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
- Initial Release Date: 2026-03-26
| Date | Revision | Summary |
| --- | --- | --- |
| 2026-03-26 | 1 | Initial Republication of PTC's CS466318 |
Legal Notice and Terms of Use
This product is provided subject to this Notification and this Privacy & Use policy.
Vendor
- PTC
Tags
Sector: Critical Manufacturing Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems
Please share your thoughts
We recently updated our anonymous product survey; we welcome your feedback.
Related Advisories
Mar 26, 2026
ICS Advisory | ICSA-26-085-02
OpenCode Systems OC Messaging and USSD Gateway
Mar 26, 2026
ICS Advisory | ICSA-26-085-01
WAGO GmbH & Co. KG Industrial Managed Switches
Mar 24, 2026
ICS Advisory | ICSA-26-083-01
Pharos Controls Mosaic Show Controller
Mar 24, 2026
ICS Advisory | ICSA-26-083-03
Schneider Electric Plant iT/Brewmaxx
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CISA ICS-CERT Advisories publishes new changes.