ACCORDING to CISA, the ICS Advisory for PTC Windchill Product Lifecycle Management warns that successful exploitation could enable remote code execution. The vulnerability is identified as CVE-2026-4681 and affects Windchill PDMLink versions from 11.0_M030 through 13.1.3[.]0, as well as FlexPLM releases spanning 11.0_M030 to 13.0.3[.]0, with a CVSS v3.1 base score of 10 (CRITICAL).
PTC Windchill and FlexPLM are both listed under the affected products, and the advisory notes that the issue may be triggered by deserialisation of untrusted data. Remediation steps are clearly prioritised: PTC is developing a fix, but until patches are available customers should implement the recommended workaround and immediately protect any publicly accessible Windchill systems, applying mitigation steps across all deployments.
The advisory also directs applying specific Apache and IIS HTTP Server configuration workarounds and cautions that file server or replica configurations may require the same mitigations. No known public exploitation has been reported to CISA at this time.