OTPulse

PTC Windchill Product Lifecycle Management

Plan PatchCVSS 10ICS-CERT ICSA-26-085-03Mar 26, 2026
PTC
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PTC Windchill PDMLink and FlexPLM are vulnerable to remote code execution (CWE-94) through unauthenticated network requests. Successful exploitation allows an attacker to execute arbitrary code on the vulnerable server. The vulnerability affects multiple versions of both products. PTC is actively developing patches and recommends immediate application of HTTP server configuration workarounds for Apache and IIS platforms while patches are in development. All deployments should be protected, with priority given to publicly accessible instances.

What this means
What could happen
An attacker could execute arbitrary code on Windchill or FlexPLM servers, potentially compromising design data, intellectual property, and supply chain documentation that manufacturers rely on for production.
Who's at risk
Manufacturers and engineering firms running PTC Windchill PDMLink or FlexPLM product lifecycle management systems should prioritize this, especially if these systems are internet-facing or accessible from untrusted networks. This affects design collaboration, CAD file management, and bill-of-materials systems that support production operations.
How it could be exploited
An unauthenticated attacker on the network can send a specially crafted request to a publicly accessible Windchill or FlexPLM instance to trigger remote code execution. The vulnerability requires no credentials or user interaction.
Prerequisites
  • Network access to the Windchill or FlexPLM web interface (typically port 80 or 443)
  • Windchill or FlexPLM system exposed to untrusted networks or publicly accessible
remotely exploitableno authentication requiredlow complexityaffects intellectual property and supply chain datahigh CVSS score (10.0)critical severity
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (20)
10 with fix10 pending
ProductAffected VersionsFix Status
Windchill PDMLink: 11.0_M03011.0 M030No fix yet
Windchill PDMLink: 11.1_M02011.1 M020No fix yet
Windchill PDMLink: 11.2.1.011.2.1.0No fix yet
Windchill PDMLink: 12.0.2.012.0.2.0No fix yet
Windchill PDMLink: 12.1.2.012.1.2.0No fix yet
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDApply Apache HTTP Server configuration workaround immediately to all Windchill and FlexPLM systems using Apache
WORKAROUNDApply IIS configuration workaround immediately to all Windchill and FlexPLM systems using Microsoft IIS
HARDENINGRestrict network access to Windchill and FlexPLM web interfaces to trusted networks only; remove or disable public internet accessibility pending vendor patches
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXMonitor vendor security announcements and deploy patches to FlexPLM systems as they become available
HOTFIXFor Windchill PDMLink systems currently on mitigation status, continue monitoring for vendor patch availability and plan upgrade within your change management process
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2a6c6603-c66f-418a-a316-3f1c237b0d92

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.