Skip to main content

PTC Windchill EUVD-2026-37831

| CVE-2026-12569 CRITICAL
Improper Input Validation (CWE-20)
2026-06-18 PTC GHSA-f345-wxwr-fxfh
Deserialization RCE Windchill Pdmlink Flexplm
9.3
CVSS 4.0 · Vendor: PTC
Share

Severity by source

Vendor (PTC) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red
vuln.today AI
9.8 CRITICAL

Network-reachable deserialization with no auth or user interaction yields AV:N/AC:L/PR:N/UI:N; RCE in the application context gives full C:H/I:H/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (PTC).

CVSS VectorVendor: PTC

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 00:45 vuln.today

DescriptionCVE.org

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions

  • The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

AnalysisAI

Remote code execution in PTC Windchill PDMlink and PTC FlexPLM allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. All releases prior to 11.0 M030 are affected, as are all CPS versions, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Windchill/FlexPLM endpoint
Delivery
Send HTTP request with malicious serialized object
Exploit
Trigger unsafe deserialization gadget chain
Execution
Execute arbitrary code as application server user
Persist
Establish persistence on PLM host
Impact
Exfiltrate CAD/IP data or deploy ransomware
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Windchill PDMlink or FlexPLM web application and a target running any version prior to 11.0 M030 or any unpatched CPS release; no authentication, no user interaction, and no special configuration toggle are required per the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high and broadly applicable: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H) indicates an unauthenticated, low-complexity network attack with full triad impact on the vulnerable system, and the 9.3 critical score is consistent with classic Java deserialization RCE patterns. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker reachable over the network sends a crafted HTTP request containing a malicious serialized Java object to a Windchill PDMlink or FlexPLM endpoint that deserializes user input; the server reconstructs the object, triggering a gadget chain that executes attacker-supplied commands in the context of the application server. The attacker uses this foothold to steal proprietary CAD/engineering data, plant ransomware, or pivot deeper into the manufacturing network. …
Remediation Patch available per vendor advisory: upgrade Windchill PDMlink and FlexPLM to 11.0 M030 or later, and apply the corresponding fixed CPS release referenced in PTC support article CS473270 (https://www.ptc.com/en/support/article/CS473270) - exact CPS build numbers should be pulled directly from that advisory as they were not enumerated in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all PTC Windchill PDMlink and FlexPLM deployments; determine which are running versions prior to 11.0 M030 or any CPS version; assess network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37831 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy