Re: Critical vulnerability CVSS10.0

CC_3911250 · ‎Mar 21, 2026

I am using Windchill PDMLink Release 10.0 and Datecode with CPS M010

Critical vulnerability (CVSS10.0) in its Windchill and FlexPLM products. Want to add the immediate remediation steps but don't understand instructions.
Currently have "D:\ptc\Windchill_12.1\HTTPServer\conf\conf.d\30-app-Windchill-Auth.conf" file. Do I simply create the new 90-app-Windchill-auth.conf and ONLY put the entry that was sent in the remediation or do I copy the 30-app file renaming to 90-app and have all of my configuration settings plus remediation???

AtharvaD · ‎Mar 21, 2026

Hello @CC_3911250 ,

You need to create the 90-app-Windchill-auth.conf and ONLY put the entry that was sent in the remediation.

as per https://www.ptc.com/en/support/article/CS466318

Regards,

Atharva

bmüller · ‎Mar 30, 2026

Hi @AtharvaD

with the second remediation, is there any reason to create 2 files with only those configs? or will one 90-... file with both work too? in "normal Apache" this should make no difference.

Regards,

Bernhard

SS_10316298 · ‎Mar 30, 2026

Hi @CC_3911250 ,

Since you are currently on Windchill PDMLink Release 10.0 with CPS M010, we have documented a remediation for this version in the following article:

Article - CS466867 - Workarounds for Windchill and FlexPLM Path Traversal Vulnerability in Out of Support Releases

@bmüller , For Windchill 11.0 and above, please follow the steps outlined in the referenced articles below:

Article - CS466318 - Critical RCE Vulnerability reported in Windchill
Article - CS466866 - Urgent: Path Traversal Vulnerability reported in Windchill and FlexPLM

For this update, you can create a new file in the 90–99 range.

From my understanding, the order does not matter as long as both files are placed at the end of the sequence.

I hope this provides the clarity you needed.

Best regards,
Samarth Shelke

bmüller · ‎Mar 30, 2026

Hi @SS_10316298

but why 2 files? Why not a single file 90-app-Windchill-Auth.conf and add both blocks:

<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
  Require all denied
</LocationMatch>

mmeadows-3 · ‎Mar 30, 2026

The articles were not written at the same time and are designed to be independent. So, each article identifies a unique file name. There is no reason to create two files. In your combined file, ensure they are in the order defined by the articles (90 first and 91 second). Also document these changes to make it easier to identify the source of the changes. I created a single 90-app-Windchill-Auth.conf file.

# Security Patches
# 3/23/2026 https://www.ptc.com/en/support/article/CS466318
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
Require all denied
</LocationMatch>

# 3/28/2026 https://www.ptc.com/en/support/article/CS466866
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

mmeadows-3 · ‎Mar 30, 2026

FYI: I got direct feedback from PTC.

"They can be combined, but for consistency sake it is better to follow the instructions explicitly."

SS_10316298 · ‎Mar 30, 2026

Hi @mmeadows-3 ,

We introduced a new file for the Path Traversal vulnerability because it provided a more straightforward approach.

Since separate articles were created for two distinct vulnerabilities, it is logical to maintain a dedicated file for each.

While it is technically possible to combine both Apache configuration updates into a single file, doing so increases the risk of typos or accidental overwrites. Therefore, we recommend following the documented guidance unless a customer has a specific constraint that prevents them from doing so.

Best Regards,
Samarth Shelke

SS_10316298 · ‎Mar 21, 2026

Apache HTTP Server Configuration – Workaround Steps

Create a new Apache configuration file:
<APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf

Add the following directive to the file:

<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

Save the configuration file.

NOTE: If other Apache configuration files exist with sequence numbers higher than 90, ensure this new file is the last in the sequence.
Restart Apache HTTP Server for changes to take effect:
- Linux:
```
apachectl stop
apachectl start
```
- Windows (Service):
  - Open Services
  - Stop Apache HTTP Server
  - Start Apache HTTP Server