Patch Details (Supported Releases)
Be sure to review the Readme (Patch) or Release Notes (SUP) for any additional steps required when installing the update.
- This is a targeted, security only patch. It introduces code changes strictly limited to remediating the vulnerabilities identified in PTC eSupport articles CS466866 and CS466318 including those previously addressed through workarounds. No new features or functional modifications are included.
- Both the patch and SUP installation instructions call out a recommended database backup as a best practice to ensure the ability to recover if an unexpected error occurs; for this emergency security update the database backup is not required.
| Windchill Release | Standalone Patch/SUP |
| Windchill 12.1.2 | 12.1-XXXX_CPSXB6 |
| Windchill 13.0.2 | 13.0-XXXX_CPSXB2 |
| Windchill 13.1.2 | 13.1.2.6 |
| Windchill 13.1.3 | 13.1.3.2 |
Navigation path for each patch:
12.1-XXXX_CPSXB6:
- PTC Software Download – under “Release 12.1 -> PTC Windchill 12.1 Service Pack - Critical Patch Sets Bundles -> Most Recent Version -> Version: 12-1-2-21 > 12-1-XXXX-CPSXB6-TPATCH”
13.0-XXXX_CPSXB2:
- PTC Software Download – under “Release 13.0 -> PTC Windchill 13.0 Service Pack - Critical Patch Sets Bundles -> Most Recent Version -> Version: 13-0-2-11 > 13-0-XXXX-CPSXB2-TPATCH”
13.1.2.6:
- PTC Software Download – under “Release 13.1 -> PTC Windchill Security Update Patches-> Show all other available Versions -> Version: 13-1-2-6”
13.1.3.2:
- PTC Software Download – under “Release 13.1 -> PTC Windchill Security Update Patches-> Most Recent Version -> Version: 13-1-3-2"
PTC Cloud Hosted Customers:
- For PTC hosted customers, no action is required. Maintenance notifications will be sent to inform about the updates to your system(s) to apply the patch or SUP.
- For questions or concerns please contact your PTC Cloud Service Manager or open a PTC Cloud Incident.
Patch Details (Unsupported Releases)
Be sure to review the Readme (Patch) for any additional steps required when installing the update.
- This is a targeted, security only patch. It introduces code changes strictly limited to remediating the vulnerabilities identified in PTC eSupport articles CS466866 and CS466318 including those previously addressed through workarounds. No new features or functional modifications are included.
- The patch installation instructions call out a recommended database backup as a best practice to ensure the ability to recover if an unexpected error occurs; for this emergency security update the database backup is not required.
- There is a Java version pre-requisite that must be met for patches in the table that support Java8 – refer to Readme.
Windchill Release | Standalone Patch | Patch Applicable For |
Windchill 11.0 M030 | 11.0-M030-CPS24-CPSXB1 | 11.0 M030 to 11.0 M030 CPS24 |
Windchill 11.1 M020 | 11.1-M020-CPS36_CPSXB1 | 11.1 M020 to 11.1 M020 CPS36 |
Windchill 11.2.1 | 11.2.1.24_CPSXB1 | 11.2.1.0 to 11.2.1.24 |
Windchill 12.0.2 | 12.0.2.27_CPSXB1 | 12.0.2.0 to 12.0.2.27 |
Windchill 13.1.1 | 13.1.1.4_CPSXB1 | 13.1.1.0 to 13.1.1.4 |
Navigation path for each patch:
12.0.2:
- PTC Software Download site – under “Release 12.0 -> PTC Windchill 12.0 Service Pack - Critical Patch Sets Bundles -> Most Recent Version->12-0-CPSXB1-TPATCH”
11.2.1:
- PTC Software Download site – under “Release 11.2 -> PTC Windchill 11.2 Service Pack - Critical Patch Sets Bundles -> Most Recent Version->11-2-CPSXB1-TPATCH”
11.1 M020:
- PTC Software Download site – under “Release 11.1 -> PTC Windchill 11.1 Service Pack - Critical Patch Sets Bundles -> Most Recent Version-> M020-CPS36-CPSXB1-TPATCH”
11.0 M030:
- PTC Software Download site – under “Release 11.0 -> PTC Windchill 11.0 Service Pack - Critical Patch Sets Bundles -> Most Recent Version-> M030-CPS24-CPSXB1-TPATCH”
13.1.1:
Immediate Action Required (If patch is not yet available or cannot be applied)
Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically:
- Protect any publicly accessible Windchill systems
- While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure
- Apply the same precautions to FlexPLM deployments
The following documented workarounds should be IMMEDIATELY applied to every Windchill or FlexPLM system:
- The Java serialization filter property update (refer below for detailed steps) should be used as the primary workaround. If the Apache or IIS workaround has already been applied, they should remain in place. However, this additional workaround should also be applied if your Windchill or FlexPLM release supports it (see below).
- Customers using Apache HTTP Server should only follow “Apache HTTP Server Configuration – Workaround Steps” section steps
- Customers using Microsoft IIS should only follow “IIS Configuration - Workaround Steps” section steps
- Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
- For Windchill and FlexPLM releases prior to 11.0 M030, it is important to note that your primary means of lowering your risk is to ensure that your system is not connected to the Internet, which significantly reduces exposure. For guidance on a potential workaround please refer to CS466565.
- If you are unable to apply the remediation quickly, other options to protect your systems are listed below the remediation instructions.
Java Serialization Filter Configuration Update (New 04/01/2026) - Workaround Steps
- This is an additional remediation that can be implemented to further secure your system until you are able to apply the security update patch (once released).
- This is not a substitute for the patch but addresses the Remote Code Execution vulnerability at the application level. We strongly recommend you apply this remediation IMMEDIATELY.
- PTC Cloud: Hosted customers no action is required. Maintenance notifications were sent to inform about the updates to your system(s) to apply this remediation.
- The filter allows you to specify which classes should be rejected using property wt.manager.serialFilter in wt.properties.xconf
- Multiple classes can be specified in the property by using semicolons with exact pattern to reject . Example “!<package name and class name>;”
- The current list of default classes should not be changed.
Steps to update the "wt.manager.serialFilter" property for this workaround:
- Take a backup of <WT_HOME>\codebase\wt.properties.
- Open <WT_HOME>\codebase\wt.properties.xconf and search for
name="wt.manager.serialFilter". - Append to existing list separated by ; at the end:
!wt.feedback.WTContextUpdate;
- Run xconfmanager -pf from Windchill shell.
- To Verify updates, Open <WT_HOME>\codebase\wt.properties and ensure “wt.manager.serialFilter ” property is updated with the following at the end:
!wt.feedback.WTContextUpdate;
Note: If manual updates are made into <WT_HOME>\codebase\wt.properties then ensure above workaround steps do not remove previous manual changes in <WT_HOME>\codebase\wt.properties
- Support for the Java serialization filter was added to Windchill in the following releases. This workaround, as documented using the Windchill "wt.manager.serialFilter" property, will be applicable only in the specific release CPS listed below:
Windchill Release | Windchill CPS |
11.1 M020 | CPS26 or higher |
11.2.1 | CPS17 or higher |
12.0.2 | CPS07 or higher |
12.1.0 | CPS04 or higher |
12.1.1 | CPS01 or higher |
12.1.2 | All |
13.0.0, 13.0.1, 13.0.2 | All |
13.1.0, 13.1.1, 13.1.2 | All |
FlexPLM Release | FlexPLM CPS |
11.1 M020 | CPS15 or higher |
11.2.1.0 | CPS07 or higher |
12.0.0.0 | 12.0.0.7 or higher |
12.0.2.0 | 12.0.2.4 or higher |
12.0.3.0 | 12.0.3.4 or higher |
12.1.2.0 | 12.1.2.0 |
12.1.3.0 | 12.1.3.0 |
13.x | 13.x |
Apache HTTP Server Configuration – Workaround Steps
Create a new Apache configuration file:
<APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf
Add the following to the body of this new configuration file:
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
Require all denied
</LocationMatch>
Be sure to save the new configuration file.
Restart Apache HTTP Server for changes to take effect:
- Linux:
apachectl stop
apachectl start
- Windows (Service):
Open Services
Stop Apache HTTP Server
Start Apache HTTP Server
IIS Configuration - Workaround Steps:
Notes:
- It is recommended to also confirm you have successfully implemented the workaround for the critical RCE vulnerability documented in CS466866.
- IIS only allows a single <rewrite> section per configuration scope; multiple <rewrite> blocks must be merged into one with multiple rules.
Check if URL Rewrite module is available in IIS Web Server
- if not available, please follow steps 2 through 5; else, jump to step 4
- Download “url-rewrite” binary from https://www.iis.net/downloads/microsoft/url-rewrite
Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary
Command: Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait
Example: Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait
- Edit
<WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file
<rewrite>
<rules>
<rule name="Block Windchill Publish Servlet" stopProcessing="true">
<match url="^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(;[^/]*)?/.*$" ignoreCase="true" />
<action type="CustomResponse"
statusCode="403"
statusReason="Forbidden"
statusDescription="Access Denied" />
</rule>
</rules>
</rewrite>
Be sure to confirm the file web.config file is properly updated with the changes
- Restart IIS web server with below command from PowerShell
iisreset
- Close and relaunch IIS manager UI to check if the URL rewrite rule is in place
Click on Site--->URL Rewrite--->
The URL Rewrite rule should appear in the list
Important Additional Information
- For any questions related to the configuration workarounds (above), contact PTC Technical Support and open a Support Case
- Effective immediately, PTC is granting 24x7 customer support access and coverage to all PTC customers regardless of support level to address all matters specific to this vulnerability
- For PTC CLOUD HOSTED CUSTOMERS – The Apache HTTP Server configuration workaround has been applied on all PTC-hosted Windchill and FlexPLM systems. Maintenance will be planned to apply the Java Serialization filter on all PTC-hosted Windchill and FlexPLM systems.
- In addition to remediation steps outlined above, we urge you to look for the following indicators of compromise (IOCs) that can be used to determine if the vulnerability has been exploited in your Windchill or FlexPLM environment:
- If any of the IOCs are identified on the Windchill Server, please immediately notify your company’s security team to initiate your company’s response plan
Network and User-Agent:
Monitor for the following User-Agent Header:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
File System:
Check for the presence of any of these files (SHA256):
GW.class - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1
payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1
Any *.jsp files with a random naming convention that follows the format: “dpr_<8-hex-digits>.jsp”
Note:
- Presence of the GW.class or dpr_<8-hex-digits>.jsp on the Windchill server indicates the attacker has completed weaponization on the system prior to conducting remote code execution (RCE)
- The GW.class and payload.bin files are identical in content; therefore, they have the same hash
- The hashes provided are based on information known at this time. If new information is identified, any potential changes to the hashes will continue to be updated in this article.
Gen.class- 9856FCFC71099646F4E705BC906BD1BB170871290D364CA20C716E566257E264
HTTPRequest.class - 6B015D40D3E6A2B3425797B9B75B8F3868A7A6EAD155686E4AE0D9BFC87F4E57
HTTPResponse.class - 6F0472C8D83C0F85DFF106028F7ABB754631F7B585078B3919DAE99E3672C389
IXBCommonStreamer.class - B1B141130718FFF5A2F8E6A048165338DDBC50DA3A2464C43BFCA0476BAC4CC7
IXBStreamer.class - E207BDC91D172012AF28B028E9DD21C8B377E78286AD8C8E4E085F2D6E9C0C03
MethodFeedback.class - 6A88AB22B35C9D4DB9A582B6F386968355E4A4362235A6CDC038B672F9EC9372
MethodResult.class - 21A2AD61FC72E1256BBD037CBD5AD4279A916F9E4ADF0D197177BA95A22C881D
WTContextUpdate.class - 06E166A84701D430ADCDC19BA8DA2124CA223637919D6E89068219433BB9073F
Gen.java – F2C8EB4A4F4BB2344DC0E41C2717B7B0D22F923A1CDBBE61EBF415759F757DAD
GW.java – 330433BC430CB40E7BC4D17BEBABD521572AD5077F614484FEE9442EEE793477
HTTPRequest.java – 1CB7A011880958A1A8797D720495646BA8B0601AF09352E4118FCB0E09475E95
HTTPResponse.java – E697AFEAF83ED975D5B5D2A6604F08E7496D99F9775F33407B0B02530516D88D
IXBCommonStreamer.java – AFEDA8E680639FE58343AE7A67B92C36E44A67A6BB7DC3C1FC239DF29CF225E0
IXBStreamer.java – AD388F887F2EB0114AA672EC0D9EE9201916F257EB982C96EC4867727C52082C
MethodFeedback.java – 305241D4D27B07CFDD566AA16B22CF79116EE9BC254D6D8A8032443ABA2EC985
MethodResult.java – 69E41E4B68A1097143C394DE25B2E1D33A819AED0C61F3DF891485A98B5AAA07
WTContextUpdate.java -78473ABBECDFF2BDC30BCB96B0B3EAC3BD6493E6960D11D03277509EFDA188F2
Log and Error IOCs
Unusual error messages in log files, '<APACHE_HOME>/logs' and/or '<WINDCHILL_HOME>/logs' referencing:
- run?c=echo%20GW_READY_OK
- c=echo%20GW_READY_OK
- c=echo 20GW_READY_OK
- GW_READY_OK
- ClassNotFoundException for GW
- Windchill Error or HTTP Gateway Exception