CISA has added a critical unauthenticated remote code execution (RCE) vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities (KEV) catalog. This designation confirms active exploitation in the wild, with specific intelligence indicating threat actors are leveraging this flaw to deploy web shells on affected enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) servers.
For organizations managing critical intellectual property and manufacturing data, this is a high-priority event. The presence of web shells allows for persistent access, lateral movement, and data exfiltration. Defenders must immediately assume compromise for internet-facing instances and initiate hunting operations.
Technical Analysis
Affected Software:
- PTC Windchill PDMlink
- PTC FlexPLM
The Vulnerability: The vulnerability is a critical unauthenticated RCE flaw. While specific CVE details were not disclosed in the advisory bulletin, the technical impact allows a remote attacker to execute arbitrary code on the underlying server hosting the PTC application without requiring valid credentials.
Attack Chain & Exploitation Status:
- Initial Access: Attackers send maliciously crafted requests to the vulnerable web interface of the PTC Windchill/FlexPLM server.
- Execution: The server processes the request, triggering the RCE condition.
- Persistence (Web Shells): Intelligence from the field suggests attackers are immediately dropping web shells (e.g., JSP or JSPX files) into the web directory. This provides a backdoor for command execution even if the initial vulnerability is patched later.
- CISA KEV Status: Confirmed Active Exploitation.
Detection & Response
The following detection rules focus on the behavioral indicators of a compromised PTC Windchill server, specifically looking for the Java application server spawning unauthorized shells or the creation of suspicious web artifacts.
SIGMA Rules
YAML
---
title: PTC Windchill Java Process Spawning Windows Shell
id: a8b9c0d1-2e3f-4a5b-8c7d-9e0f1a2b3c4d
status: experimental
description: Detects the PTC Windchill Java process (typically running as tomcat or a specific PTC service) spawning cmd.exe or powershell.exe. This is a high-fidelity indicator of RCE exploitation leading to web shell activity.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/18
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- '\java.exe'
- '\javaw.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
filter_legit:
CommandLine|contains:
- 'Veritas'
- 'Backup'
- 'admin_scripts'
condition: selection_parent and selection_child and not filter_legit
falsepositives:
- Legitimate administrative debugging (rare)
level: critical
---
title: Suspicious JSP/JSPX File Creation in Web Directories
id: b2c3d4e5-3f4a-5b6c-9d8e-0f1a2b3c4d5e
status: experimental
description: Detects the creation of .jsp or .jspx files, common web shell extensions for Java-based apps like Windchill, within web root directories by non-administrator processes or unusual users.
references:
- https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_create
product: windows
detection:
selection:
TargetFilename|contains:
- 'Windchill'
- 'ptc'
TargetFilename|endswith:
- '.jsp'
- '.jspx'
filter_legit_dev:
User|contains:
- 'Administrator'
- 'DevOps'
condition: selection and not filter_legit_dev
falsepositives:
- Legitimate PTC developers deploying updates
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for PTC Windchill exploitation: Java spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('java.exe', 'javaw.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'pwsh.exe')
| extend ProcessCommandLine = InitiatingProcessCommandLine, ChildCommandLine = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ChildCommandLine
// Look for base64 encoded strings or suspicious arguments in child process
| where ChildCommandLine contains "-enc" or ChildCommandLine contains "DownloadString" or ChildCommandLine contains "IEX"
Velociraptor VQL
VQL — Velociraptor
-- Hunt for recently modified JSP/JSPX files potentially acting as web shells
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='/*/Windchill/**/*.jsp', accessor='auto')
WHERE Mtime > now() - 7d
OR Atime > now() - 7d
-- Hunt for suspicious Java child processes
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ 'cmd.exe' OR Name =~ 'powershell.exe'
LET Parent = SELECT Pid FROM pslist() WHERE Pid = Ppid
WHERE Parent.Name =~ 'java'
Remediation Script (PowerShell)
PowerShell
<#
.SYNOPSIS
Incident Response Script for PTC Windchill Compromise
.DESCRIPTION
Identifies recent JSP/JSPX modifications and checks for active web shells.
NOTE: Run as Administrator on the PTC Application Server.
#>
Write-Host "[*] Starting PTC Windchill Incident Response Check..." -ForegroundColor Cyan
# 1. Identify PTC Windchill Installation Paths (Common defaults)
$paths = @("C:\ptc", "D:\ptc", "C:\Program Files\PTC")
$webExtensions = @("*.jsp", "*.jspx")
$suspiciousStrings = @("Runtime.getRuntime().exec", "ProcessBuilder", "javax.script", "eval(", "base64decode")
# 2. Scan for recently modified JSP files (last 7 days)
Write-Host "[*] Scanning for recently modified JSP/JSPX files..." -ForegroundColor Yellow
$recentFiles = Get-ChildItem -Path $paths -Include $webExtensions -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
if ($recentFiles) {
Write-Host "[!] Found $($recentFiles.Count) recently modified JSP/JSPX files:" -ForegroundColor Red
$recentFiles | Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize
# 3. Check content for suspicious web shell signatures
Write-Host "[*] Analyzing content for web shell signatures..." -ForegroundColor Yellow
foreach ($file in $recentFiles) {
$content = Get-Content $file.FullName -Raw -ErrorAction SilentlyContinue
if ($content) {
foreach ($sig in $suspiciousStrings) {
if ($content -match [regex]::Escape($sig)) {
Write-Host "[!!!] POTENTIAL WEB SHELL DETECTED: $($file.FullName)" -ForegroundColor Red
Write-Host " Signature Match: $sig" -ForegroundColor DarkRed
}
}
}
}
} else {
Write-Host "[+] No recently modified JSP/JSPX files found in standard paths." -ForegroundColor Green
}
Write-Host "[*] Script completed." -ForegroundColor Cyan
Remediation
- Patch Immediately: Apply the latest security patches provided by PTC for Windchill PDMlink and FlexPLM. Disregard standard change management windows for internet-facing instances given the CISA KEV designation.
- CISA Deadline: Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by the date specified in the CISA KEV directive (typically within three weeks of addition). Private sector entities should treat this as an immediate emergency.
- Isolate Compromised Systems: If web shells are detected, assume the host is fully compromised. Isolate the server from the network and perform a forensic investigation or re-image the environment entirely.
- Hunt for Persistence: Merely patching the RCE is insufficient if a web shell has already been planted. Use the scripts above to scan
codebaseandtempdirectories. - Network Segmentation: Ensure PLM/PDM servers are not directly accessible from the internet. Place them behind a VPN or Zero Trust Access solution with strict MFA requirements.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
cvezero-daypatch-tuesdayexploitvulnerability-disclosureptc-windchillcisa-kevweb-shell
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.