CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical unauthenticated RCE vulnerability in PTC Windchill and FlexPLM disclosed with imminent exploitation risk

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical, unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-4681, has been disclosed in PTC Windchill and FlexPLM product lifecycle management (PLM) platforms. The flaw arises from insecure deserialization of trusted data and enables arbitrary code execution without authentication. German federal authorities (BKA) have taken emergency action, dispatching officers to alert organizations nationwide—including some not running affected software—due to credible intelligence of imminent exploitation by a third-party threat actor. The vulnerability affects most supported versions of Windchill and FlexPLM across all critical patch sets (CPS). While no public exploitation has been confirmed, PTC has released detection indicators and mitigation guidance involving Apache/IIS rule configuration to block access to the vulnerable servlet path. Mitigation is recommended for all deployments, with priority on internet-facing systems. If mitigation is infeasible, vendors advise temporary disconnection from the internet or service shutdown.

Timeline

  1. 25.03.2026 01:04 1 articles · 2h ago

    Critical unauthenticated RCE in PTC Windchill and FlexPLM disclosed with imminent exploitation warning

    CVE-2026-4681, a critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM, was disclosed with credible intelligence of imminent exploitation. German federal police (BKA) dispatched agents nationwide to alert organizations, including those not using affected products, due to national security concerns. PTC issued mitigation guidance (Apache/IIS rule to block vulnerable servlet path) and published IoCs and detection advice, recommending prioritized mitigation on internet-facing instances or service disconnection if mitigation is infeasible.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-4681 in PTC Windchill and FlexPLM allows unauthenticated remote code execution via insecure deserialization of trusted data.

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources

  • Affected systems include all supported versions of Windchill and FlexPLM, across all critical patch sets (CPS).

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources

  • German federal police (BKA) dispatched agents nationwide to alert organizations—even those not using affected software—citing credible evidence of imminent exploitation by a third-party group.

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources

  • No public exploitation has been confirmed, but PTC has published IoCs including user agent strings and files (e.g., GW.class, payload.bin, dpr_<random>.jsp), and detection patterns such as '/run?p=' or '/.jsp?c=' combined with unusual User-Agent activity.

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources

  • Vendor-recommended mitigation: configure Apache/IIS rules to deny access to the affected servlet path; does not break functionality.

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources

  • If mitigation is not possible, PTC advises temporary disconnection from the internet or service shutdown until patches are applied.

    First reported: 25.03.2026 01:04
    1 source, 1 article
    Show sources