CVE-2026-4681

Name of the Vulnerable Software and Affected Versions Windchill PDMLink versions 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0 FlexPLM versions 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Description A critical remote code execution (RCE) issue exists in PTC Windchill and FlexPLM software due to the insecure deserialization of untrusted data. Deserialization is the process of converting a stream of bytes back into an object; in this case, the software trusts incoming serialized objects from network-accessible endpoints without authentication or integrity checks. An unauthenticated attacker can send a specially crafted HTTP request to the server, utilizing gadget chains—sequences of existing code fragments—to execute malicious payloads. This allows the attacker to gain full control of the system, exfiltrate intellectual property such as CAD models, or install stealth backdoors. Potentially thousands of systems in the manufacturing and product lifecycle management sectors are at risk. Real-world incidents have been reported where attackers used this flaw for lateral movement across manufacturing networks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Disconnect all Windchill and FlexPLM servers from the public internet and place them behind a strict VPN or Zero-Trust Network Access (ZTNA) gateway. Block all incoming traffic on default ports 80, 443, and 8080 from outside the internal network. Implement Web Application Firewall (WAF) rules to inspect HTTP POST requests for Java Deserialization payloads, specifically blocking hex headers starting with AC ED 00 05 and requests containing java.lang.Runtime or java.lang.ProcessBuilder. Implement network segmentation to limit the blast radius of a potential compromise. Compare current CAD checksums against offline backups and scan the database for unauthorized administrative accounts.