Analytics Story: PTC Windchill Exploitation

Description

Leverage searches that allow you to detect and investigate activity that may relate to exploitation of PTC Windchill and FlexPLM CVE-2026-4681.

Why it matters

CVE-2026-4681 is a critical remote code execution vulnerability affecting PTC Windchill PDMLink and FlexPLM. PTC reports that the vulnerability may be exploited through deserialization of untrusted data and published urgent mitigation guidance for Windchill and FlexPLM environments.

During exploitation, attackers may stage gateway or JSP components and then interact with them through suspicious HTTP request patterns. PTC identifies run?c=, run?p=, .jsp?c=, and .jsp?p= as suspicious request patterns to correlate, with run?c=echo%20GW_READY_OK, c=echo%20GW_READY_OK, and GW_READY_OK called out as log and error indicators. Once the staged component is reachable, the c= parameter can be used to send operating system commands such as whoami, while p= may indicate file read behavior.

This analytic story focuses on Windchill MethodServer log4j telemetry, especially the wt.servlet.ServletRequestMonitor.request and wt.method.MethodContextMonitor.contexts.servletRequest loggers, to identify exploitation probes and follow-on command or file read activity. Organizations should combine these detections with the PTC-published HTTP server mitigations, patching guidance, and file-system IOC checks for artifacts such as GW.class, payload.bin, and randomly named dpr_<8 hex>.jsp files.

Detections

Data Sources

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-03
• https://nvd.nist.gov/vuln/detail/CVE-2026-4681
• https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability

Source: GitHub | Version: 1