Windchill & FlexPLM Critical Vulnerability Response Center

Modified 23-Mar-2026 | 1:34 p.m. EST

Applies To

• Windchill PDMLink 11.0 M030
• Windchill PDMLink 11.1 M020
• Windchill PDMLink 11.2.1.0
• Windchill PDMLink 12.0.2.0
• Windchill PDMLink 12.1.2.0
• Windchill PDMLink 13.0.2.0
• Windchill PDMLink 13.1.0.0
• Windchill PDMLink 13.1.1.0
• Windchill PDMLink 13.1.2.0
• Windchill PDMLink 13.1.3.0
• FlexPLM 11.0 M030
• FlexPLM 11.1 M020
• FlexPLM 11.2.1.0
• FlexPLM 12.0.0.0
• FlexPLM 12.0.2.0
• FlexPLM 12.0.3.0
• FlexPLM 12.1.2.0
• FlexPLM 12.1.3.0
• FlexPLM 13.0.2.0
• FlexPLM 13.0.3.0
• This advisory applies to all CPS versions
• The identified vulnerability impacts Windchill releases prior to 11.1 M030

Description

• The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
• CWE - CWE-94: Improper Control of Generation of Code ('Code Injection') (4.19.1)
• CVSS v3.1 Base Score: 10.0 (Critical)
• Common Vulnerability Scoring System Version 3.1 Calculator
• At this time, there is no evidence of confirmed exploitation affecting PTC customers

Resolution

• Please check back regularly to be aware of any updates actively being made to this article and/or guidance. Latest Update: 3/23/2026, 12 PM EST
• Review the file system IOCs below for updates.
• PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Action Required

• Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically:
• Protect any publicly accessible Windchill systems
• While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure
• Apply the same precautions to FlexPLM deployments
• The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system:
• Customers using Apache HTTP Server should only follow “Apache HTTP Server Configuration – Workaround Steps” section steps
• Customers using Microsoft IIS should only follow “IIS Configuration - Workaround Steps” section steps
• Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
• For Windchill releases prior to 11.1 M030, workarounds may need to be altered to apply to unsupported previous releases
• If you are unable to apply the remediation quickly, other options to protect your systems are listed below the remediation instructions. 

Apache HTTP Server Configuration – Workaround Steps

1. Create a new Apache configuration file:
   >APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf


2. Add the following to the body of this new configuration file:
   <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">

    Require all denied

</LocationMatch>
   
   
3. Be sure to save the new configuration file.
   
   NOTE: If there is an Apache HTTP Server configuration file having a sequence number higher than 90, ensure that the new file is the last in the configuration sequence.
   
   
4. Restart Apache HTTP Server for changes to take effect:
   
   
   • Linux:
     apachectl stop
     apachectl start
   
   
   • Windows (Service):
     Open Services
     Stop Apache HTTP Server
     Start Apache HTTP Server

IIS Configuration - Workaround Steps:

1. Check if URL Rewrite module is available in IIS Web Server 
   
   • if not available, please follow steps 2 through 5; else, jump to step 4
2. Download “url-rewrite” binary from  https://www.iis.net/downloads/microsoft/url-rewrite
3. Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary
   
   Command: Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait
   Example: Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait
   
   
   
4. Edit <WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file
   
   <rewrite>
    <rules>
        <rule name="Block Windchill Publish Servlet" stopProcessing="true">
            <match url="^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(;[^/]*)?/.*$" ignoreCase="true" />
                <action type="CustomResponse"
                    statusCode="403"
                    statusReason="Forbidden"
                    statusDescription="Access Denied" />
        </rule>
    </rules>
</rewrite>
   
   
   Be sure to confirm the web.config file is properly updated with the changes
   
   
5. Restart IIS web server with below command from PowerShell
   
   iisreset
   
   
6. Close and relaunch IIS manager UI to check if the URL rewrite rule is in place
   
   Click on Site--->URL Rewrite--->
   The URL Rewrite rule should appear in the list

Important Additional Information

• Once the workaround is applied, customers should be able to continue using their Windchill system. There are no known functional impacts due to applying the Apache or IIS workaround
  
  
• Other Options to Protect Your Systems
• If you are unable to apply the remediation quickly for any reason, you can also take the following steps to protect your systems:
• Shut down your Windchill or FlexPLM service (and then apply the remediation steps).
• Disconnect your Windchill or FlexPLM system from the public internet



• For any questions related to the configuration (above), contact PTC Technical Support and open a Support Case
• Effective immediately, PTC is granting 24x7 customer support access and coverage to all PTC customers regardless of support level to address all matters specific to this vulnerability
• For PTC CLOUD HOSTED CUSTOMERS – The Apache HTTP Server configuration workaround has been applied on all PTC-hosted Windchill and FlexPLM systems
• In addition to remediation steps outlined above, we urge you to look for the following indicators of compromise (IOCs) that can be used to determine if the vulnerability has been exploited in your Windchill or FlexPLM environment:
• If any of the IOCs are identified on the Windchill Server, please immediately notify your company’s security team to initiate your company’s response plan

Network and User-Agent:

Monitor for the following User-Agent Header: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36

Command and Parameter:

Block and/or alert on HTTP requests with suspicious parameters:

• ?c= (command execution)
• ?p= (file read)

File System:

Check for the presence of any of these files (SHA256):

GW.class - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

 payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

Any *.jsp files with a random naming convention that follows the format: “dpr_<8-hex-digits>.jsp”

Note:

• Presence of the GW.class or dpr_<8-hex-digits>.jsp on the Windchill server indicates the attacker has completed weaponization on the system prior to conducting remote code execution (RCE)
• The previous two files are identical in content; therefore, they have the same hash 
• The hashes provided are based on information known at this time. If new information is identified, any potential changes to the hashes will continue to be updated in this article.

Gen.class- 9856FCFC71099646F4E705BC906BD1BB170871290D364CA20C716E566257E264  
HTTPRequest.class - 6B015D40D3E6A2B3425797B9B75B8F3868A7A6EAD155686E4AE0D9BFC87F4E57      
HTTPResponse.class - 6F0472C8D83C0F85DFF106028F7ABB754631F7B585078B3919DAE99E3672C389     
IXBCommonStreamer.class - B1B141130718FFF5A2F8E6A048165338DDBC50DA3A2464C43BFCA0476BAC4CC7     
IXBStreamer.class - E207BDC91D172012AF28B028E9DD21C8B377E78286AD8C8E4E085F2D6E9C0C03      
MethodFeedback.class - 6A88AB22B35C9D4DB9A582B6F386968355E4A4362235A6CDC038B672F9EC9372     
MethodResult.class - 21A2AD61FC72E1256BBD037CBD5AD4279A916F9E4ADF0D197177BA95A22C881D     
WTContextUpdate.class - 06E166A84701D430ADCDC19BA8DA2124CA223637919D6E89068219


Gen.java – F2C8EB4A4F4BB2344DC0E41C2717B7B0D22F923A1CDBBE61EBF415759F757DAD
GW.java – 330433BC430CB40E7BC4D17BEBABD521572AD5077F614484FEE9442EEE793477
HTTPRequest.java – 1CB7A011880958A1A8797D720495646BA8B0601AF09352E4118FCB0E09475E95
HTTPResponse.java – E697AFEAF83ED975D5B5D2A6604F08E7496D99F9775F33407B0B02530516D88D
IXBCommonStreamer.java – AFEDA8E680639FE58343AE7A67B92C36E44A67A6BB7DC3C1FC239DF29CF225E0
IXBStreamer.java – AD388F887F2EB0114AA672EC0D9EE9201916F257EB982C96EC4867727C52082C
MethodFeedback.java – 305241D4D27B07CFDD566AA16B22CF79116EE9BC254D6D8A8032443ABA2EC985
MethodResult.java – 69E41E4B68A1097143C394DE25B2E1D33A819AED0C61F3DF891485A98B5AAA07
WTContextUpdate.java -78473ABBECDFF2BDC30BCB96B0B3EAC3BD6493E6960D11D03277509EFDA188F2

payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

Any *.jsp files with a random naming convention that follows this format:  “dpr_<8-hex-digits>.jsp”
Note: Hash can be variable due to random generation

Log and Error IOCs

Unusual error messages in Windchill logs referencing:

• GW_READY_OK
• ClassNotFoundException for GW
• Windchill Error or HTTP Gateway Exception