Remote Code Execution (RCE)  vulnerability in Windchill PDMlink - June 17, 2026

Applies To

• Windchill PDMLink All Versions
• FlexPLM All Versions

• This advisory applies to all CPS versions
• The identified vulnerability impacts Windchill and FlexPLM releases prior to 11.0 M030

Description

• The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data  
•  CVE-2026-12569 has been reported for this Windchill vulnerability  
  • CWE 20: Improper Input Validation
  • CWE 502: Deserialization of Untrusted Data
  • Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 9.0 based on the CVSS3.1 calculator.  
  • CVSS v3.1 Base Score: 9.0 (Critical)
  • CVSS v4 Base Score: 9.3 (Critical) 
• At this time, there is no evidence of confirmed exploitation affecting PTC customers

Resolution

References the instructions in the PTC Article CS473270 for more details 

Apache HTTP Server Configuration – Workaround Steps

• This is a remediation that can be implemented to further secure your system until you are able to apply the security update patch (once released). 
• This is not a substitute for the patch but this mitigation is intended to address the Remote Code Execution vulnerability at the application level.
• Once the patch is available and applied, this workaround must be removed.
• For PTC Cloud: Hosted customers no action is required.  Maintenance notifications were sent to inform about the updates to your system(s) to apply this remediation. 
  • Create a new Apache configuration file: 
    <APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf

  • Add the following to the body of this new configuration file: 

    <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.fv\.uploadtocache\.DoUploadToCache_Server.*$">
        <RequireAll>
    	Require all granted
    	Require not expr "unescape(%{QUERY_STRING}) =~ /(^|&)UploadInChunks=(?i:true)(&|$)/"
        </RequireAll>
    </LocationMatch>

  • Be sure to save the new configuration file 
    
    NOTE: If an Apache HTTP Server configuration file exists with a sequence number higher than 90, ensure that the new configuration file is loaded last in the sequence. The file name sequence number must be within the 90–99 range.
  • Restart Apache HTTP Server for changes to take effect:
     
    • Linux:
      apachectl stop
      apachectl start
      
       
    • Windows (Service):
      Open Services
      Stop Apache HTTP Server
      Start Apache HTTP Server
       

• IIS Configuration - Workaround Steps: 

• Notes
  • IIS only allows a single <rewrite> section per configuration scope; multiple <rewrite> blocks must be merged into one with multiple rules.  The below workaround includes a previous workaround for the critical RCE vulnerability documented in CS466866
• Check if URL Rewrite module is available in IIS Web Server
  • If not available, please follow steps 2 through 5; else, jump to step 4
• Download “url-rewrite” binary from https://www.iis.net/downloads/microsoft/url-rewrite
• Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary

• Command: Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait 
  Example: Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait

• Edit <WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file 

• <rewrite> 
    <rules> 
  	<rule name="Block Windchill Publish Servlet" stopProcessing="true"> 
  	  <match url="^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(;[^/]*)?/.*$" ignoreCase="true" /> 
  	  <action type="CustomResponse" 
  		 statusCode="403" 
  		 statusReason="Forbidden" 
  		 statusDescription="Access Denied" /> 
  	</rule> 
  	<rule name="Block UploadInChunks for Windchill" stopProcessing="true"> 
  	  <match url="^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.fv\.uploadtocache\.DoUploadToCache_Server.*$" ignoreCase="true"/> 
  	  <conditions logicalGrouping="MatchAll"> 
  		<add input="{QUERY_STRING}" pattern="(^|&amp;)UploadInChunks=true(&amp;|$)" /> 
  	  </conditions> 
  	  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Chunk upload not allowed" /> 
  	</rule> 
    </rules> 
  </rewrite> 

1. • Be sure to confirm the file web.config file is properly updated with the changes

• Restart IIS web server with below command from PowerShell
  iisreset

• Close and relaunch IIS manager UI to check if the URL rewrite rule is in place
  Click on Site--->URL Rewrite---> 
  The URL Rewrite rule should appear in the list
   

  Important Additional Information 

• Once the workaround is applied, customers should be able to continue using their Windchill system 
• Other Options to Protect Your Systems 
  • If you are unable to apply the remediation quickly for any reason, you can also take the following steps to protect your systems:  
    • Shut down your Windchill or FlexPLM service (and then apply the remediation steps). 
    • Disconnect your Windchill or FlexPLM system from the public internet

Reference

• PTC Article CS473270

Subscribe to EAC’s Alliance Managed Services Program.  Ensure your Windchill environment is actively monitored and vulnerabilities are proactively resolved.