Unrated severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
Critical Remote Code Execution vulnerability reported in Windchill
CVE-2026-4681
Description
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
Affected products
4= 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13. 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0+ 1 more
- (no CPE)range: = 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13. 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
- (no CPE)range: 11.0 M030
Patches
Vulnerability mechanics
References
1- www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerabilitymitrevendor-advisorymitigation
News mentions
2- JSP webshells being dropped on unpatched PTC Windchill instancesHelp Net Security · Jun 29, 2026
- First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildSecurityWeek · Jun 26, 2026