PTC’s advisory center
Please visit the links below for information on PTC's response to vulnerabilities that have impacted PTC products and their remediation.
Advisories
PTC Products advisories
PTC ALM
Product: Codebeamer
Description: Security Vulnerability identified in Codebeamer – Reflected XSS - CVE-2024-3951
- Advisory ID: ICSA-24-128-01
- Publish date: 5/7/2024
- Remediation Details
Product: Codebeamer
Description: Security Vulnerabilities Identified in Codebeamer - CVE-2023-4296
- Advisory ID: ICSA-23-241-01
- Publish date: 8/29/2023
- Remediation Details
PTC Creo
Product: Creo Elements/Direct License Server
Description: Critical Security Vulnerability identified in Creo Elements/Direct License Server - CVE-2024-6071
- Advisory ID: ICSA-24-177-02
- Publish date: 7/9/2024
- Remediation Details
PTC IoT
Product: PTC Axeda Agent
Description: Use of Hard-coded Credentials, Missing Authentication for Critical Function, Exposure of Sensitive Information to an Unauthorized Actor, Path Traversal, Improper Check or Handling of Exceptional Conditions
- Advisory ID: ICSA-22-067-01
- Publish date: 3/31/2022
- Remediation Details
PTC Kepware
Product: PTC ThingWorx Kepware Server
Description: Security vulnerability identified in PTC Kepware Products - CVE-2024-6098
- Advisory ID: ICSA-24-228-11
- Publish date: 8/15/2024
- Remediation Details
Product: PTC Kepware ThingWorx Kepware Server
Description: Security vulnerability identified in PTC Kepware Products - CVE-2024-6098
- Advisory ID: ICSA-24-228-11
- Publish date: 8/15/2024
- Remediation Details
Product: PTC Kepware Server
Description: Security vulnerabilities identified in PTC Kepware products - CVE-2023-5908, CVE-2023-5909
- Advisory ID: ICSA-23-334-03
- Publish date: 11/30/2023
- Remediation Details
Product: PTC Kepware Server
Description: Security vulnerabilities identified in PTC Kepware Products - CVE-2023-29444, CVE-2023-29446, CVE-2023-29447
- Advisory ID: ICSA-23-243-03
- Publish date: 10/12/2023
- Remediation Details
Product: PTC Kepware Server CVD
Description: Uncontrolled Resource Consumption
- Advisory ID: ICSA-23-208-02
- Publish date: 7/27/2023
- Remediation Details
Product: PTC ThingWorx Edge and Kepware CVD
Description: Improper Validation of Array Index, Integer Overflow or Wraparound
- Advisory ID: ICSA-23-054-01
- Publish date: 2/23/2023
- Remediation Details
Product: PTC Kepware Server (Update A) CVD
Description: Heap-based Buffer Overflow; Stack-based Buffer Overflow
- Advisory ID: ICSA-22-242-10
- Publish date: 8/8/2022
- Remediation Details
Product: PTC Kepware Server (Update A)
Description: Security vulnerabilities identified in PTC Kepware Products - CVE-2020-27263, CVE-2020-27265, CVE-2020-27267
- Advisory ID: ICSA-20-352-02
- Publish date: 1/5/2021
- Remediation Details
PTC PLM
Product: PTC Windchill and FlexPLM
Description: Apache vulnerability impact on PTC Windchill and FlexPLM
- Advisory ID: CVE-2022-36760
- Publish date: 1/17/2023
- Remediation Details
Third-party advisories
Chromium vulnerability impact on multiple PTC products
Product: Multiple PTC products
Description: Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- Advisory ID: CVE-2022-1096
- Publish date: 7/22/2022
- Remediation Details
Log4j vulnerability impact on multiple PTC products
Product: Multiple PTC products
Description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
- Advisory ID: CVE-2021-44228
- Publish date: 12/10/2021
- Remediation Details
Spring4Shell vulnerability impact on multiple PTC products
Product: Multiple PTC products
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
- Advisory ID: CVE-2022-22965
- Publish date: 4/1/2022
- Remediation Details
TPM vulnerability impact on PTC products
Product: PTC products are not directly impacted by the TPM vulnerabilities
Description: TPM security vulnerabilities - CVE-2023-1017 and CVE-2023-1018
- Advisory ID: CVE-2023-1017, CVE-2023-1018
- Publish date: 02/28/2023, 02/28/2023
- Remediation Details
Qix & Shai-Hulud NPM Software Supply Chain Attacks
Product: At this time, PTC has no indication that its products are impacted by the Qix & Shai-Hulud NPM Software Supply Chain Attacks.
Current as of: September 19, 2025
Remediation Details: PTC is aware of the recent NPM software supply chain attacks known as Qix (September 8) and Shai-Hulud (September 15). These incidents have targeted high-profile maintainers and leveraged malicious packages to exfiltrate sensitive data.
As of our latest investigation, we can confirm that none of our products have been impacted by either attack. Our internal security teams have conducted thorough reviews of our software components and dependencies, and no affected packages have been identified within our environment.
We remain vigilant, as attackers may adapt and attempt similar tactics in the future.
We will continue to monitor the situation closely and provide updates as needed. If there are any changes to our assessment or new developments that impact our products, we will update this advisory accordingly.