PT-2026-27248 · Ptc · Ptc Windchill+1
Published
2026-03-23
·
Updated
2026-04-06
·
CVE-2026-4681
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red |
Name of the Vulnerable Software and Affected Versions
PTC Windchill PDMLink versions 11.0 M030 through 13.1.3.0
PTC FlexPLM versions 11.0 M030 through 13.0.3.0
Description
A critical remote code execution (RCE) issue has been identified in PTC Windchill and PTC FlexPLM. The issue stems from the deserialization of untrusted data, potentially allowing an attacker to execute arbitrary code on affected systems. The vulnerability poses a significant risk to the confidentiality, integrity, and availability of core Product Lifecycle Management (PLM) data, potentially leading to intellectual property theft, supply chain compromise, and service disruption. Authorities have issued alerts regarding the imminent exploitation of this issue, with reports of increased targeting activity. The vulnerability does not require authentication for exploitation.
Recommendations
PTC Windchill PDMLink versions 11.0 M030 through 13.1.3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PTC FlexPLM versions 11.0 M030 through 13.0.3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ptc Flexplm
Ptc Windchill