Full Report
PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution. [...]
Analysis Summary
# Vulnerability: Critical Deserialization RCE in PTC Windchill and FlexPLM
## CVE Details
- **CVE ID:** CVE-2026-4681
- **CVSS Score:** Critical (Numerical score not explicitly stated, but categorized as "Critical" with high-urgency government response)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** PTC Windchill and PTC FlexPLM
- **Versions:** Most supported versions, including all Critical Patch Sets (CPS) versions.
- **Configurations:** All deployments (Internet-facing, internal, and file/replica servers).
## Vulnerability Description
The flaw is a deserialization vulnerability that allows for Remote Code Execution (RCE). It involves the deserialization of data through a specific servlet path. While the article mentions "deserialization of trusted data," the classification and RCE potential suggest that unauthenticated or improperly validated input can be used to execute arbitrary code on the underlying server.
## Exploitation
- **Status:** Not currently exploited in the wild, but there is "credible evidence of an imminent threat" from a third-party group.
- **Complexity:** Low (implied by the urgency and widespread government alert).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Risk of industrial espionage and data theft).
- **Integrity:** High (Full system compromise/weaponization).
- **Availability:** High (Potential for service shutdown or ransomware).
## Remediation
### Patches
- Official patches are currently **under development** and have not yet been released. PTC is working on security patches for all supported versions.
### Workarounds
- **Servlet Blocking:** Apply the vendor-provided Apache or IIS rules to deny access to the affected servlet path. Note: PTC states this does not break functionality.
- **Prioritization:** Apply mitigations to internet-facing instances first, then internal/replica servers.
- **Isolation:** If rules cannot be applied, temporarily disconnect affected instances from the internet or shut down the service.
## Detection
### Indicators of Compromise (IoCs)
- **Files:** Presence of `GW.class`, `payload.bin`, or `dpr_.jsp` (indicates weaponization is complete).
- **Network Patterns:** Requests containing `run?p=` or `.jsp?c=`.
- **User-Agent:** Unusual User-Agent activity (specific string known to PTC).
- **Log Errors:** References to `GW`, `GW_READY_OK`, or unexpected gateway exceptions.
### Detection methods and tools
- Review server logs for the specific request patterns mentioned above.
- Scan the Windchill server filesystem for the identified malicious files.
## References
- PTC Security Bulletin (Primary Source)
- BleepingComputer: hxxps[://]www[.]bleepingcomputer[.]com/news/security/ptc-warns-of-imminent-threat-from-critical-windchill-flexplm-rce-bug/
- Heise Report: hxxps[://]www[.]heise[.]de/en/news/WTF-Police-responded-on-Saturday-night-due-to-a-zero-day-11221590[.]html