Path Traversal Vulnerability reported in Windchill and FlexPLM - March 28, 2026

Urgent: Path Traversal Vulnerability reported in Windchill and FlexPLM PTC Article - CS466866

Applies To

• Windchill PDMLink All Versions
• FlexPLM All Versions

• This advisory applies to all CPS versions
• The identified vulnerability impacts Windchill and FlexPLM releases prior to 11.0 M030

Description

• The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory

• A CVE has not yet been assigned to this vulnerability
  • CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
  • CVSS v3.1 Base Score: 7.5 (High)
  • CVSS v4 Base Score: 8.7 (High) 
• At this time, there is no evidence of confirmed exploitation affecting PTC customers

Resolution

References the instructions in the PTC Article CS466866 for more details 

Apache HTTP Server Configuration – Workaround Steps

1. Create a new Apache configuration file:
   <APACHE_HOME>/conf/conf.d/91-app-Windchill-Auth.conf 

2. Add the following to the body of this new configuration file:
    

   <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
       Require all denied
   </LocationMatch

3. Be sure to save the new configuration file.
   
   NOTE:  This configuration file name sequence number must be within the 90–99 range. If sequence number 91 is already in use choose a higher sequence number for the configuration file name.

    

4. Restart Apache HTTP Server for changes to take effect:
   • Linux:
     apachectl stop
     apachectl start
     
      
   • Windows (Service):
     Open Services
     Stop Apache HTTP Server
     Start Apache HTTP Server

IIS Configuration - Workaround Steps

Note: First, confirm you have successfully implemented the workaround for the critical RCE vulnerability documented in CS466318 

1. Check if URL Rewrite module is available in IIS Web Server
   1. If not available, please follow steps 2 through 5; else, jump to step 4
2. Download “url-rewrite” binary from  https://www.iis.net/downloads/microsoft/url-rewrite
3. Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary

Command: 

Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait

Example: 

Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait

4. Edit <WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file

<rewrite>
<rule name="Block Windchill ReconnectedHttpURLCon Servlet" stopProcessing="true">
<match url="^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(;[^/]*)?/.*$" ignoreCase="true" />
<action type="CustomResponse"
             statusCode="403"
             statusReason="Forbidden"
             statusDescription="Access Denied" />
</rule> 
</rewrite>

Be sure to confirm the file web.config file is properly updated with the changes

5. Restart IIS web server with below command from PowerShell:

iisreset

6. Close and relaunch IIS manager UI to check if the URL rewrite rule is in place
   1. Click on Site--->URL Rewrite--->The URL Rewrite rule should appear in the list

Important Additional Information

• Follow the validation steps below to ensure the changes were applied and working
• Once the workaround is applied, customers should be able to continue using their Windchill system. There are no known functional impacts due to applying the Apache workaround
• Other Options to Protect Your Systems
  • Shut down your Windchill or FlexPLM service (and then apply the remediation steps).
  • Disconnect your Windchill or FlexPLM system from the public internet

Validation

Proceed to implement the steps from the Article CS466866 on your Windchill 13.1.2.0 releases at the earliest and confirm once completed.

Below are the validation URLs you can use to verify the implementation of the steps from the Article:

*The URL examples need to be updated to include your specific installation of Windchill. Replace <windchill> with the URL of the Windchill environments that are being updated.

https://<windchill>/Windchill/servlet/WindchillGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/

https://<windchill>/Windchill/servlet/WindchillGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/test

https://<windchill>/Windchill/servlet/WindchillGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/test=123

https://<windchill>/Windchill/servlet/WindchillAuthGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/

https://<windchill>/Windchill/servlet/WindchillAuthGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/text

https://<windchill>/Windchill/servlet/WindchillAuthGW/wt.wrmf.transport.httptransport.ReconnectedHttpURLCon/text=123

Expected result:

Please note that receiving a '403 FORBIDDEN' error when accessing these URLs is expected.

Reference

• PTC Article CS466866

Subscribe to EAC’s Alliance Managed Services Program.  Ensure your Windchill environment is actively monitored and vulnerabilities are proactively resolved.