GoKawiilPTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution.
The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data.
Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk.
Fix under development
There are no official patches available, but PTC states that it is “actively developing and releasing security patches for all supported Windchill versions” to address the issue.
According to the vendor, the flaw impacts most supported versions of Windchill and FlexPLM, including all critical patch sets (CPS) versions.
Until patches become available, system administrators are recommended to apply the vendor-provided Apache/IIS rule to deny access to the affected servlet path. PTC noted that the mitigation does not break functionality.
The same mitigation should be applied to all deployments, including Windchill, FlexPLM, and any file/replica servers, not just internet-facing systems. However, PTC advises prioritizing mitigations on internet-facing instances.
If mitigation is not possible, the vendor recommends temporarily disconnecting the affected instances from the internet or shutting down the service.
IoCs available
... continue reading