PTC Windchill Product Lifecycle Management

Act Now10ICS-CERT ICSA-26-085-03Mar 26, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PTC Windchill PDMLink and FlexPLM contain a vulnerability (CWE-94) that allows unauthenticated remote code execution. An attacker can exploit this vulnerability over the network to execute arbitrary commands on affected systems. The vulnerability affects Windchill PDMLink versions 11.0_M030 through 13.1.3.0 and FlexPLM versions 11.0_M030 through 13.0.3.0. PTC is actively developing vendor patches; in the meantime, HTTP server configuration workarounds must be applied immediately to all deployments, with particular urgency for publicly accessible systems.

What this means

What could happen

An attacker could execute arbitrary commands on Windchill or FlexPLM servers over the network without authentication, potentially allowing them to modify product lifecycle data, steal design files, or disrupt design and engineering workflows that feed into manufacturing and production systems.

Who's at risk

Organizations using PTC Windchill PDMLink or FlexPLM for product lifecycle management, particularly those with publicly accessible systems. This includes manufacturers, engineering firms, and enterprises managing product design, CAD files, bill of materials, and engineering change orders that feed into production planning and manufacturing execution systems.

How it could be exploited

An attacker can send a specially crafted request over the network to a publicly accessible Windchill or FlexPLM server. The vulnerability allows remote code execution without needing valid credentials or user interaction. The attacker gains command execution on the server, which can be leveraged to access or modify critical product data and engineering files.

Prerequisites

Network access to the Windchill or FlexPLM web server port (typically HTTP/HTTPS)
Windchill PDMLink version 11.0_M030 through 13.1.3.0, or FlexPLM version 11.0_M030 through 13.0.3.0
No valid credentials or authentication required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 10)affects product lifecycle data central to manufacturingpublicly accessible deployments at immediate risk

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (20)

10 with fix10 pending

ProductAffected VersionsFix Status

Windchill PDMLink: 11.0_M03011.0 M030No fix yet

Windchill PDMLink: 11.1_M02011.1 M020No fix yet

Windchill PDMLink: 11.2.1.011.2.1.0No fix yet

Windchill PDMLink: 12.0.2.012.0.2.0No fix yet

Windchill PDMLink: 12.1.2.012.1.2.0No fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDApply Apache HTTP Server configuration workaround steps immediately if using Apache (specific steps from advisory's 'Apache HTTP Server Configuration – Workaround Steps' section)

WORKAROUNDApply Microsoft IIS configuration workaround steps immediately if using IIS (specific steps from advisory's 'IIS Configuration - Workaround Steps' section)

HARDENINGRestrict network access to Windchill and FlexPLM systems to authorized internal networks only; do not expose these systems to the public Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FlexPLM to the latest patched version when available from PTC (vendor is actively developing a fix)

HOTFIXApply security updates to Windchill PDMLink when PTC releases vendor patches (currently only mitigations available)

CVEs (1)

CVE-2026-4681

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2a6c6603-c66f-418a-a316-3f1c237b0d92