{"uuid": "47124bb2-b34f-47c1-b0a3-1073423a56ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Critical RCE Vulnerability reported in Windchill", "description": "#  Zero-day allows code execution in WindChill and FlexPLM | heise online\n\n1.  Zero-day allows code execution in WindChill and FlexPLM\n    *   [Many versions affected](#nav_many_versions__0 \"Many versions affected\")\n    *   [Workaround: Restrict access via Apache configuration](#nav_workaround__1 \"Workaround: Restrict access via Apache configuration\")\n    *   [Apparently active attacks \u2013 admins should keep their eyes open](#nav_apparently__2 \"Apparently active attacks \u2013 admins should keep their eyes open\")\n\nThe software Windchill and FlexPLM contains a security vulnerability that allows code execution. The manufacturer urgently calls for security measures to be taken \u2013 a patch is not yet available at the moment.\n\nInformation about the vulnerability is scarce; neither a CVE identifier nor warnings from national CERTs (Computer Emergency Response Team) are available. However, the manufacturer and its partners appear to be concerned: they are assigning the highest score of 10.0 points on the CVSS scale and urging customers to react immediately.\n\nApparently, the error is hidden in the deserialization of the servlets `/servlet/WindchillGW/com.ptc.wvs.server.publish.Publish` and `/servlet/WindchillAuthGW/com.ptc.wvs.server.publish.Publish`. If these are accessible to an attacker, for example, because the Windchill server is reachable from the internet, they can inject and execute code.\n\n### Many versions affected\n\nAccording to [the manufacturer PTC's extremely brief security notice](https://www.ptc.com/en/support/article/CS466318?_gl=1*196gmri*_gcl_au*Njc4ODc0NTE4LjE3NzQxNzI5NTc.*_ga*MTY0OTgyOTM1NC4xNzc0MTcyOTU2*_ga_7NMP2MSYPM*czE3NzQxNzI5NTYkbzEkZzAkdDE3NzQxNzI5ODQkajMyJGwwJGgw&as=0) in the Knowledge Base, the following versions are affected:\n\n*   Windchill PDMLink 11.0 M030\n*   Windchill PDMLink 11.1 M020\n*   Windchill PDMLink 11.2.1.0\n*   Windchill PDMLink 12.0.2.0\n*   Windchill PDMLink 13.0.2.0\n*   Windchill PDMLink 13.1.0.0\n*   Windchill PDMLink 13.1.1.0\n*   Windchill PDMLink 13.1.2.0\n*   Windchill PDMLink 13.1.3.0\n*   Windchill PDMLink 12.1.2.0\n*   FlexPLM 11.0 M030\n*   FlexPLM 11.1 M020\n*   FlexPLM 11.2.1.0\n*   FlexPLM 12.0.0.0\n*   FlexPLM 12.0.2.0\n*   FlexPLM 12.0.3.0\n*   FlexPLM 12.1.2.0\n*   FlexPLM 12.1.3.0\n*   FlexPLM 13.0.2.0\n*   FlexPLM 13.0.3.0\n\n### Workaround: Restrict access via Apache configuration\n\nUntil a patch is available, admins should use a workaround. As described by the Windchill service provider EAC in a communication to its customers, this requires a configuration change to the Apache web server. According to EAC, this should be done **immediately** to neutralize the risk of an exploit.\n\n1.  Create a new configuration file `<APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf`. (If a file with the prefix 90- or higher already exists, the new file should receive the highest number to be loaded as the last file)\n2.  Incorporate the following directives into it:  \n    `<LocationMatch \"^.*servlet/(WindchillGW|WindchillAuthGW)/com\\.ptc\\.wvs\\.server\\.publish\\.Publish(?:;[^/]*)?/.*$\">``Require all denied``</LocationMatch>`\n3.  Restart the web server using the known commands.\n\n### Apparently active attacks \u2013 admins should keep their eyes open\n\nAlthough the manufacturer claims to have no knowledge of successful attacks, service provider EAC mentions some \"[Indicators of Compromise](https://support.eacpds.com/hc/en-us/article_attachments/47430019070996)\" (IOC). This means that attacks against Windchill or FlexPLM servers must have already occurred. The IOCs indicate that after a successful exploit, attackers upload files with malicious code to the server, typically web shells. Instances operated by PTC itself are already protected.\n\nInsecure deserialization is a known entry point for exploits and is popular with cybercriminals and state-sponsored attackers. Just a few days ago, the US cybersecurity agency added another [deserialization vulnerability in Microsoft SharePoint](https://www.heise.de/news/Warnung-vor-Angriffen-auf-Cisco-FMC-SharePoint-und-Zimbra-11217003.html?from-en=1) to its database of Known Exploited Vulnerabilities.\n\n([cku](mailto:cku@heise.de \"Dr. Christopher Kunz\"))\n\nDon't miss any news \u2013 follow us on [Facebook](https://www.facebook.com/heiseonlineEnglish), [LinkedIn](https://www.linkedin.com/company/104691972) or [Mastodon](https://social.heise.de/@heiseonlineenglish).\n\n_This article was originally published in [German](https://www.heise.de/news/Zero-Day-erlaubt-Codeausfuehrung-in-WindChill-und-FlexPLM-11220521.html). It was translated with technical assistance and editorially reviewed before publication._", "creation_timestamp": "2026-03-23T12:31:11.280296+00:00", "timestamp": "2026-03-23T12:31:11.280296+00:00", "related_vulnerabilities": ["GCVE-1-2026-0021"], "meta": [{"ref": ["https://www.ptc.com/en/support/article/CS466318?_gl=1*196gmri*_gcl_au*Njc4ODc0NTE4LjE3NzQxNzI5NTc.*_ga*MTY0OTgyOTM1NC4xNzc0MTcyOTU2*_ga_7NMP2MSYPM*czE3NzQxNzI5NTYkbzEkZzAkdDE3NzQxNzI5ODQkajMyJGwwJGgw&as=0", "https://www.heise.de/en/news/Zero-day-allows-code-execution-in-WindChill-and-FlexPLM-11220546.html"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}