Platform
java
Component
windchill-pdmlink
Fixed in
11.0.1
11.1.1
11.2.2
12.0.3
12.1.3
13.0.3
13.1.1
13.1.2
13.1.3
13.1.4
11.0.1
11.1.1
11.2.2
12.0.1
12.0.3
12.0.4
12.1.3
12.1.4
13.0.3
13.0.4
CVE-2026-4681 describes a critical Remote Code Execution (RCE) vulnerability discovered in PTC Windchill and PTC FlexPLM. This vulnerability stems from the insecure deserialization of untrusted data, enabling attackers to potentially execute arbitrary code on affected systems. The vulnerability impacts Windchill PDMLink versions up to and including 13.1.3.0, and FlexPLM versions listed in the description. A fix is available from PTC.
Successful exploitation of CVE-2026-4681 could allow an attacker to gain complete control over a vulnerable Windchill PDMLink server. This could involve executing arbitrary commands, accessing sensitive data stored within the system, and potentially pivoting to other systems on the network. The deserialization flaw is particularly dangerous as it often bypasses standard input validation mechanisms, making it easier to inject malicious payloads. The impact is amplified if the Windchill PDMLink server is integrated with other critical business systems, as a compromise could lead to widespread data breaches and operational disruptions. This type of deserialization vulnerability shares similarities with other high-impact exploits where attackers craft malicious serialized objects to achieve code execution.
CVE-2026-4681 was publicly disclosed on March 23, 2026. The EPSS score is pending evaluation, but the nature of the vulnerability (RCE via deserialization) suggests a potentially high probability of exploitation. Public proof-of-concept (PoC) code may emerge, increasing the risk of widespread attacks. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
0.50% (66% percentile)
CISA SSVC
The primary mitigation for CVE-2026-4681 is to upgrade to a patched version of Windchill PDMLink or FlexPLM. PTC has released updates to address this vulnerability; refer to the official PTC advisory for specific version details. If immediate patching is not feasible, consider implementing temporary workarounds such as restricting network access to the Windchill PDMLink server and carefully scrutinizing any external data being deserialized. Web Application Firewalls (WAFs) configured to detect and block malicious deserialization attempts can also provide an additional layer of defense. After upgrading, verify the fix by attempting to reproduce the vulnerability using known attack vectors, ensuring that the deserialization process is now properly secured.
Update Windchill PDMLink to a patched version that addresses the deserialization vulnerability. Refer to the PTC advisory for more details on the fixed versions and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4681 is a critical Remote Code Execution vulnerability in PTC Windchill PDMLink versions ≤13.1.3.0, allowing attackers to execute code through insecure data deserialization.
If you are using Windchill PDMLink versions 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, or 13.1.3.0, you are potentially affected.
Upgrade to a patched version of Windchill PDMLink as recommended by PTC. Refer to the official PTC advisory for specific version details.
While active exploitation is not yet confirmed, the vulnerability's severity and nature suggest a high likelihood of exploitation, and monitoring is advised.
Refer to the official PTC security advisory for detailed information and remediation steps. Check the PTC support website for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.