topic Re: Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different in Windchill

Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different

CM_10720949 — Mon, 30 Mar 2026 06:58:34 GMT

the case and the emails we've received about these issues are not really coherent:

In the email it's stated that:

"If you have not installed the following CPS releases, we urge you to take the following actions immediately.

CPS Releases:

CPS F000 (Windchill Release 13.1.2)
CPS01 (Windchill Release 13.1.1)
CPS05 (Windchill Release 13.1.0)
CPS07 (Windchill Release 13.0.2)
CPS18 (Windchill Release 12.1.2)"

while on the https://www.ptc.com/en/support/article/CS466866 it's stated:

This advisory applies to all CPS versions

So which one is correct?

fyi we're on 12.1.2.18, and I've implemented the first mitigation, now i'm wondering if I need to do the second... since email and CS are stating the opposite, here i am asking.

Re: Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different

bmüller — Mon, 30 Mar 2026 07:42:36 GMT

Hi,

we understood it that you must add BOTH Apache LocationMatch directives (...wt\.wrmf\.transport... and ) .../com\.ptc\.wvs\.server...) AND apply the latest CPS or at least the one from 2025-August.

what I'm not sure - why PTC mentions to create 2 different files 90-app-Windchill-Auth.conf and 91-app-Windchill-Auth.conf. Any issues just create one files with both?

Re: Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different

CS_9946173 — Mon, 30 Mar 2026 18:45:21 GMT

Hi @CM_10720949

The article https://www.ptc.com/en/support/article/CS466866 has been updated since the original communications went out. The CPS information is no longer included in the article. (You should subscribe to the article and review the change log at the bottom)

After further investigation we have expanded the scope of the recommended workaround to all Windchill releases based on additional potential risks identified. That is to say that every Windchill Version regardless of CPS should apply the Apache fixes from both CS466866 and CS466318

@bmüller the articles were created independently, while you can combine the fixes into one file, it is recommended to follow the instructions as is for consitency.

Re: Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different

bmüller — Tue, 31 Mar 2026 06:12:32 GMT

Thanks for clarifying. We have already a few additional files so we’ll keep that single file.