PatchSiren cyber security CVE debrief
CVE-2026-4681 PTC CVE debrief
CVE-2026-4681 is a critical remote code execution vulnerability affecting PTC Windchill PDMLink and PTC FlexPLM. The CISA CSAF advisory states the issue may be exploited through deserialization of untrusted data and assigns a CVSS v3.1 score of 10.0. CISA’s record republishes PTC’s CS466318 and notes workaround guidance is available while PTC develops a fix. Publicly accessible Windchill systems are called out as higher risk, but the mitigation guidance is intended for all deployments, including File Server / Replica Server configurations where applicable.
- Vendor
- PTC
- Product
- Windchill PDMLink
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-26
- Original CVE updated
- 2026-03-26
- Advisory published
- 2026-03-26
- Advisory updated
- 2026-03-26
Who should care
PTC Windchill PDMLink and FlexPLM administrators, product security teams, vulnerability management teams, and any operators of publicly accessible deployments should treat this as urgent. Organizations using Apache HTTP Server or Microsoft IIS in front of Windchill/FlexPLM, and environments with File Server / Replica Server configurations, should prioritize mitigation immediately.
Technical summary
According to the CISA CSAF advisory, the vulnerability is a critical RCE issue that may be triggered via deserialization of untrusted data. The source lists affected Windchill PDMLink releases 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, and 13.1.3.0, and affected FlexPLM releases 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, and 13.0.3.0. The advisory includes mitigation steps for Apache HTTP Server and IIS deployments and says the same precautions should be applied to File Server / Replica Server configurations where applicable.
Defensive priority
Immediate. Apply vendor workaround guidance now, especially on internet-facing systems, and track the PTC advisory for the official fix.
Recommended defensive actions
- Apply the PTC workaround guidance immediately for all affected Windchill and FlexPLM deployments, not only internet-facing ones.
- Follow the Apache HTTP Server workaround steps if Apache is used in front of the affected products.
- Follow the IIS Configuration workaround steps if Microsoft IIS is used.
- Apply the same mitigation steps to File Server / Replica Server configurations where applicable.
- Review exposed Windchill/FlexPLM systems first, since the advisory notes publicly accessible systems are at higher risk.
- Monitor the official PTC trust center advisory for patch availability and additional remediation options.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-085-03 (CVE-2026-4681), which republishes PTC’s CS466318. The advisory states the issue is a critical RCE via deserialization of untrusted data, lists the affected product versions, and recommends immediate workaround steps for Apache HTTP Server and IIS configurations. The source also includes the official PTC advisory URL for further remediation guidance.
Official resources
-
CVE-2026-4681 CVE record
CVE.org
-
CVE-2026-4681 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory on 2026-03-26T06:00:00.000Z and the source revision history identifies it as an initial republication of PTC’s CS466318. The source does not indicate a CISA KEV entry.