Back to KEVs

CVE-2026-4681

Critical Remote Code Execution vulnerability reported in Windchill

Basic Information

CVE State
PUBLISHED
Reserved Date
March 23, 2026
Published Date
March 23, 2026
Last Updated
March 24, 2026
Vendor
PTC
Product
Windchill PDMLink, FlexPLM
Description
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/RE:M/U:Red

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-03-25 15:00:08 UTC) Source

References

https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOop3e7Nthx5-BsrjKdpZi50wL6l6Bt21Fz0gUub2cIPgdPGV5bNl

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-03-25 15:00:08 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel