ACCORDING to CISA and BSI, a critical vulnerability (CVE-2026-4681) in PTC Windchill and FlexPLM carries a CVSS score of 10.0 and has no patch available at present, with no confirmed active attacks but indications that exploitation could be imminent, as reported by the German media outlet Heise. The advisory states the flaw is a Remote Code Execution issue that may be exploited through deserialization of untrusted data, and it provides mitigations and indicators of compromise.
The vulnerability affects PTC FlexPLM, a product lifecycle management solution for handling product data and processes, and PTC Windchill, which covers similar lifecycle management functions. An anonymous source reported the vulnerability to CISA, and the incident prompted a notable response in Germany, including police visits to warn organisations.
PTC had previously notified customers and published a hotfix letter, though no evidence of active exploitation was yet confirmed, heightening concern among administrators about potential risk.