PT-2026-27248 · Ptc · Ptc Windchill+1
Published
2026-03-23
·
Updated
2026-03-25
·
CVE-2026-4681
CVSS v4.0
9.3
Critical
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red |
Name of the Vulnerable Software and Affected Versions
PTC Windchill PDMLink versions 11.0 M030 through 13.1.3.0
PTC FlexPLM versions 11.0 M030 through 13.0.3.0
Description
A critical remote code execution (RCE) issue has been identified in PTC Windchill and PTC FlexPLM. The issue can be exploited through the deserialization of untrusted data. The vulnerability allows for full compromise of confidentiality, integrity, and availability of core Product Lifecycle Management (PLM) systems, potentially leading to intellectual property theft and supply chain disruption. The vulnerability does not require authentication and is network accessible.
Recommendations
PTC Windchill PDMLink versions 11.0 M030 through 13.1.3.0 should be updated.
PTC FlexPLM versions 11.0 M030 through 13.0.3.0 should be updated.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ptc Flexplm
Ptc Windchill