• Due to the sensitive nature of this article, content may be updated frequently. Machine translations may not reflect the latest changes. For the most accurate and up‑to‑date information, please refer to the English version
• Please check back regularly and subscribe to this article to be aware of any updates actively being made to this article and/or guidance.  Latest Update: 4/2/2026, 3:39 PM EST
  • Please refer to the change log below
  • Review the file system IOCs below for updates
    
    
• Please ensure you follow the remediation instructions in both CS466318 (Critical RCE Vulnerability) and CS466866 (Urgent Path Traversal Vulnerability) - the combination of these vulnerabilities increases risk and requires immediate action.
  • When combined, these vulnerabilities do not need to be exploited independently. Instead, they can be used in tandem
• PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability
  • A permanent security patch for supported versions (13.1, 13.0 and 12.1) of Windchill and FlexPLM has been made available Thursday, April 2nd
  • Additional patches for unsupported versions back to Windchill 11.0 M030 are planned to subsequently be released the week of April 6th.
    • Note: If any of the below workarounds have been applied to the Windchill or FlexPLM system they do not need to be removed when the security patch or SUP is applied

Patch Details (Supported Releases)

Be sure to review the Readme (Patch) or Release Notes (SUP) for any additional steps required when installing the update.

• Both the patch and SUP installation instructions call out a recommended database backup as a best practice to ensure the ability to recover if an unexpected error occurs; for this emergency security update the database backup is not required.

Navigation path for each patch:

1. 12.1-XXXX_CPSXB6:
   1. PTC Software Download – under “Release 12.1 -> PTC Windchill 12.1 Service Pack - Critical Patch Sets Bundles -> Most Recent Version -> Version: 12-1-2-21”
2. 13.0-XXXX_CPSXB2:
   1. PTC Software Download  – under “Release 13.0 -> PTC Windchill 13.0 Service Pack - Critical Patch Sets Bundles -> Most Recent Version -> Version: 13-0-2-11”
3. 13.1.2.6:
   1. PTC Software Download – under “Release 13.1 -> PTC Windchill Security Update Patches-> Show all other available Versions -> Version: 13-1-2-6”
4. 13.1.3.2:
   1. PTC Software Download  – under “Release 13.1 -> PTC Windchill Security Update Patches-> Most Recent Version -> Version: 13-1-3-2"

PTC Cloud Hosted Customers:

• For PTC hosted customers, no action is required. Maintenance notifications will be sent to inform about the updates to your system(s) to apply the patch or SUP.
• For questions or concerns please contact your PTC Cloud Service Manager or open a PTC Cloud Incident.

Patch Details (Unsupported Releases)

Details will be provided when patches are available

Immediate Action Required (If patch is not yet available or cannot be applied)

• Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically:
  • Protect any publicly accessible Windchill systems
  • While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure
  • Apply the same precautions to FlexPLM deployments
• The following documented workarounds should be IMMEDIATELY applied to every Windchill or FlexPLM system:
  • The Java serialization filter property update (refer below for detailed steps) should be used as the primary workaround.   If the Apache or IIS workaround has already been applied, they should remain in place.  However, this additional workaround should also be applied if your Windchill or FlexPLM release supports it (see below).
  • Customers using Apache HTTP Server should only follow “Apache HTTP Server Configuration – Workaround Steps” section steps
  • Customers using Microsoft IIS should only follow “IIS Configuration - Workaround Steps” section steps 
  • Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
• For Windchill and FlexPLM releases prior to 11.0 M030, it is important to note that your primary means of lowering your risk is to ensure that your system is not connected to the Internet, which significantly reduces exposure.  For guidance on a potential workaround please refer to CS466565.

• If you are unable to apply the remediation quickly, other options to protect your systems are listed below the remediation instructions. 

Java Serialization Filter Configuration Update (New 04/01/2026) - Workaround Steps

• This is an additional remediation that can be implemented to further secure your system until you are able to apply the security update patch (once released).
• This is not a substitute for the patch but addresses the Remote Code Execution vulnerability at the application level. We strongly recommend you apply this remediation IMMEDIATELY.

• PTC Cloud: Hosted customers no action is required.  Maintenance notifications were sent to inform about the updates to your system(s) to apply this remediation.

• The filter allows you to specify which classes should be rejected using property wt.manager.serialFilter in wt.properties.xconf
• Multiple classes can be specified in the property by using semicolons with exact pattern to reject . Example  “!<package name and class name>;”
• The current list of default classes should not be changed.
  
  

Steps to update the "wt.manager.serialFilter" property for this workaround:

1. 1. 1. Take a backup of <WT_HOME>\codebase\wt.properties.
      2. Open <WT_HOME>\codebase\wt.properties.xconf and search for name="wt.manager.serialFilter".
      3. Append to existing list separated by ; at the end:
         
         !wt.feedback.WTContextUpdate;

• • 4. Run xconfmanager -pf from Windchill shell.
    5. To Verify updates, Open <WT_HOME>\codebase\wt.properties and ensure  “wt.manager.serialFilter ” property is updated with the following at the end:
       
       !wt.feedback.WTContextUpdate;

• • 6. Restart Windchill.

Note: If manual updates are made into <WT_HOME>\codebase\wt.properties  then ensure above workaround steps do not remove previous manual changes in <WT_HOME>\codebase\wt.properties 

• Support for the Java serialization filter was added to Windchill in the following releases.  This workaround, as documented using the Windchill "wt.manager.serialFilter" property, will be applicable only in the specific release CPS listed below:

Apache HTTP Server Configuration – Workaround Steps

1. 1. Create a new Apache configuration file:
      <APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf 

   2. Add the following to the body of this new configuration file:

      <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
          Require all denied
      </LocationMatch>

      
      

   3. Be sure to save the new configuration file.

      • NOTE: If an Apache HTTP Server configuration file exists with a sequence number higher than 90, ensure that the new configuration file is loaded last in the sequence. The file name sequence number must be within the 90–99 range.

1. 4. Restart Apache HTTP Server for changes to take effect:

      • Linux:
        apachectl stop
        apachectl start
        
        
      • Windows (Service):
        Open Services
        Stop Apache HTTP Server
        Start Apache HTTP Server

IIS Configuration - Workaround Steps:

Notes:

• It is recommended to also confirm you have successfully implemented the workaround for the critical RCE vulnerability documented in CS466866.
• IIS only allows a single <rewrite> section per configuration scope; multiple <rewrite> blocks must be merged into one with multiple rules.

1. 1. Check if URL Rewrite module is available in IIS Web Server 
      • if not available, please follow steps 2 through 5; else, jump to step 4
   2. Download “url-rewrite” binary from  https://www.iis.net/downloads/microsoft/url-rewrite

   3. Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary
      
      Command: Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait
      Example: Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait

   4. Edit <WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file

<rewrite>
    <rules>
        <rule name="Block Windchill Publish Servlet" stopProcessing="true">
            <match url="^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(;[^/]*)?/.*$" ignoreCase="true" />
                <action type="CustomResponse"
                    statusCode="403"
                    statusReason="Forbidden"
                    statusDescription="Access Denied" />
        </rule>
    </rules>
</rewrite>

Be sure to confirm the file web.config file is properly updated with the changes

5. Restart IIS web server with below command from PowerShell

iisreset



6. Close and relaunch IIS manager UI to check if the URL rewrite rule is in place

Click on Site--->URL Rewrite--->
The URL Rewrite rule should appear in the list

Important Additional Information

• Once the workaround is applied, customers should be able to continue using their Windchill system. There are no known functional impacts due to applying the Java Serialization filter, Apache or IIS workaround
• Other Options to Protect Your Systems
  • If you are unable to apply the remediation quickly for any reason, you can also take the following steps to protect your systems:
    • Shut down your Windchill or FlexPLM service (and then apply the remediation steps).
    • Disconnect your Windchill or FlexPLM system from the public internet

• For any questions related to the configuration workarounds (above), contact PTC Technical Support and open a Support Case
• Effective immediately, PTC is granting 24x7 customer support access and coverage to all PTC customers regardless of support level to address all matters specific to this vulnerability
• For PTC CLOUD HOSTED CUSTOMERS – The Apache HTTP Server configuration workaround has been applied on all PTC-hosted Windchill and FlexPLM systems.  Maintenance will be planned to apply the Java Serialization filter on all PTC-hosted Windchill and FlexPLM systems.
  
  
• In addition to remediation steps outlined above, we urge you to look for the following indicators of compromise (IOCs) that can be used to determine if the vulnerability has been exploited in your Windchill or FlexPLM environment:
• If any of the IOCs are identified on the Windchill Server, please immediately notify your company’s security team to initiate your company’s response plan

Network and User-Agent:
Monitor for the following User-Agent Header: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36

• User-Agent records should be considered valid IOCs only when observed together with suspicious HTTP request patterns.
• Suspicious HTTP patterns to correlate:
  • run?p=
  • .jsp?p=
  • run?c=
  • .jsp?c=

File System:
Check for the presence of any of these files (SHA256):

GW.class - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

 payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

Any *.jsp files with a random naming convention that follows the format:  “dpr_<8-hex-digits>.jsp”

       Note:

• Presence of the GW.class or dpr_<8-hex-digits>.jsp on the Windchill server indicates the attacker has completed weaponization on the system prior to conducting remote code execution (RCE)
• The GW.class and payload.bin files are identical in content; therefore, they have the same hash
• The hashes provided are based on information known at this time.  If new information is identified, any potential changes to the hashes will continue to be updated in this article.

    
Gen.class- 9856FCFC71099646F4E705BC906BD1BB170871290D364CA20C716E566257E264  
HTTPRequest.class - 6B015D40D3E6A2B3425797B9B75B8F3868A7A6EAD155686E4AE0D9BFC87F4E57      
HTTPResponse.class - 6F0472C8D83C0F85DFF106028F7ABB754631F7B585078B3919DAE99E3672C389     
IXBCommonStreamer.class - B1B141130718FFF5A2F8E6A048165338DDBC50DA3A2464C43BFCA0476BAC4CC7     
IXBStreamer.class - E207BDC91D172012AF28B028E9DD21C8B377E78286AD8C8E4E085F2D6E9C0C03      
MethodFeedback.class - 6A88AB22B35C9D4DB9A582B6F386968355E4A4362235A6CDC038B672F9EC9372     
MethodResult.class - 21A2AD61FC72E1256BBD037CBD5AD4279A916F9E4ADF0D197177BA95A22C881D     
WTContextUpdate.class - 06E166A84701D430ADCDC19BA8DA2124CA223637919D6E89068219433BB9073F

Gen.java – F2C8EB4A4F4BB2344DC0E41C2717B7B0D22F923A1CDBBE61EBF415759F757DAD
GW.java – 330433BC430CB40E7BC4D17BEBABD521572AD5077F614484FEE9442EEE793477
HTTPRequest.java – 1CB7A011880958A1A8797D720495646BA8B0601AF09352E4118FCB0E09475E95
HTTPResponse.java – E697AFEAF83ED975D5B5D2A6604F08E7496D99F9775F33407B0B02530516D88D
IXBCommonStreamer.java – AFEDA8E680639FE58343AE7A67B92C36E44A67A6BB7DC3C1FC239DF29CF225E0
IXBStreamer.java – AD388F887F2EB0114AA672EC0D9EE9201916F257EB982C96EC4867727C52082C
MethodFeedback.java – 305241D4D27B07CFDD566AA16B22CF79116EE9BC254D6D8A8032443ABA2EC985
MethodResult.java – 69E41E4B68A1097143C394DE25B2E1D33A819AED0C61F3DF891485A98B5AAA07
WTContextUpdate.java -78473ABBECDFF2BDC30BCB96B0B3EAC3BD6493E6960D11D03277509EFDA188F2

Log and Error IOCs
Unusual error messages in log files, '<APACHE_HOME>/logs' and/or '<WINDCHILL_HOME>/logs' referencing:

• run?c=echo%20GW_READY_OK
• c=echo%20GW_READY_OK
• c=echo 20GW_READY_OK
• GW_READY_OK
• ClassNotFoundException for GW
• Windchill Error or HTTP Gateway Exception