PTC has issued an urgent advisory for CVE-2026-4681, a code-injection deserialization flaw in Windchill PDMLink and FlexPLM that enables Remote Code Execution and affects numerous releases. PTC provided immediate Apache and IIS mitigations, IOCs to monitor, and recommends shutting down or isolating services if mitigations cannot be applied while offering 24×7 support to customers. #PTC #Windchill #FlexPLM #CVE-2026-4681
Keypoints
- CVE-2026-4681 is a CWE-94 deserialization/code-injection flaw that can allow arbitrary code execution.
- Multiple Windchill PDMLink and FlexPLM releases are affected, and all CPS versions before 11.0 M030 are also susceptible.
- The issue carries a CVSS v3.1 base score of 10.0 and a CVSS v4 score of 9.3, indicating critical severity.
- PTC’s temporary mitigations include adding a 90-app-Windchill-Auth.conf deny directive for Apache and an IIS URL Rewrite rule, to be applied also to File Server and Replica Server setups.
- Monitor for IOCs such as the specified User-Agent, suspicious run?p=/.jsp?p= or run?c=/.jsp?c= requests, GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1), and related class or JSP files, and report incidents immediately.
Read More: https://thecyberexpress.com/flexplm-vulnerability-cve-2026-4681/