PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution.

The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data.

Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk.

Fix under development

There are no official patches available, but PTC states that it is “actively developing and releasing security patches for all supported Windchill versions” to address the issue.

According to the vendor, the flaw impacts most supported versions of Windchill and FlexPLM, including all critical patch sets (CPS) versions.

Until patches become available, system administrators are recommended to apply the vendor-provided Apache/IIS rule to deny access to the affected servlet path. PTC noted that the mitigation does not break functionality.

The same mitigation should be applied to all deployments, including Windchill, FlexPLM, and any file/replica servers, not just internet-facing systems. However, PTC advises prioritizing mitigations on internet-facing instances.

If mitigation is not possible, the vendor recommends temporarily disconnecting the affected instances from the internet or shutting down the service.

IoCs available

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

Additionally, the bulletin lists detection advice, including checks for webshells (GW.class, payload.bin, or dpr_<random>.jsp files), suspicious requests with patterns such as run?p= / .jsp?c= combined with unusual User-Agent activity, errors referencing GW, GW_READY_OK, or unexpected gateway exceptions.

"Presence of the GW.class or dpr_<8-hex-digits>.jsp on the Windchill server indicates the attacker has completed weaponization on the system prior to conducting remote code execution (RCE)" - PTC

Additionally, in an email to customers seen by BleepingComputer, the company said that "there is credible evidence of an imminent threat by a third-party group to exploit the vulnerability."

According to Heise, BKA officers were dispatched over the weekend to alert companies nationwide of the risk of CVE-2026-4681, even some that did not use any of the affected products.

The German outlet reports that the BKA woke up system administrators in the middle of the night to hand them a copy of PTC’s notification, and also alerted the state criminal investigation offices (LKA) in various federal states.

This unusual and urgent response by the authorities has sparked concerns that CVE-2026-4681 may be exploited or is likely to be exploited soon.

Given that PLM systems are also used by engineering firms in weapons system design, industrial manufacturing, and critical supply chains, the authorities’ response could be justified on grounds of protection from industrial espionage and other national security risks.