Skip to main content
olivierlp
olivierlpCommunity Manager
Community Manager
April 2, 2026
Solved

Path Traversal Vulnerability reported in Windchill, comunications via email and CS are different

  • April 2, 2026
  • 2 replies
  • 17 views

Initially posted by ​@CM_10720949  on March 30,2026

 

 the case and the emails we've received about these issues are not really coherent:

 

In the email it's stated that: 

"If you have not installed the following CPS releases, we urge you to take the following actions immediately.

 

CPS Releases:

CPS F000 (Windchill Release 13.1.2)
CPS01 (Windchill Release 13.1.1)
CPS05 (Windchill Release 13.1.0)
CPS07 (Windchill Release 13.0.2)
CPS18 (Windchill Release 12.1.2)"

 

while on the https://www.ptc.com/en/support/article/CS466866 it's stated:

  • This advisory applies to all CPS versions

 

So which one is correct?

 

fyi we're on 12.1.2.18, and I've implemented the first mitigation, now i'm wondering if I need to do the second...  since email and CS are stating the opposite, here i am asking.

 

This topic and the replies were published during the recent read-only period. We have manually republished the missing posts to preserve the integrity of the conversation. Learn more.

April 2,2026

The Community team

    Best answer by olivierlp

    Initially posted by ​​​@CS_9946173  on March 30,2026

     

    Hi ​@CM_10720949  

    The article https://www.ptc.com/en/support/article/CS466866 has been updated since the original communications went out.  The CPS information is no longer included in the article.  (You should subscribe to the article and review the change log at the bottom)

     

    After further investigation we have expanded the scope of the recommended workaround to all Windchill releases based on additional potential risks identified.  That is to say that every Windchill Version regardless of CPS should apply the Apache fixes from both CS466866 and  CS466318 

     

    ​​@bmüller  the articles were created independently, while you can combine the fixes into one file, it is recommended to follow the instructions as is for consistency.

    2 replies

    olivierlp
    olivierlpCommunity ManagerAuthor
    Community Manager
    April 2, 2026

    Initially posted by ​​@bmüller on March 30,2026

     

    Hi,

    we understood it that you must add BOTH Apache LocationMatch directives (...wt\.wrmf\.transport... and ) .../com\.ptc\.wvs\.server...) AND apply the latest CPS or at least the one from 2025-August.

     

    what I'm not sure - why PTC mentions to create 2 different files 90-app-Windchill-Auth.conf and 91-app-Windchill-Auth.conf. Any issues just create one files with both?

    Olivier
    olivierlp
    olivierlpCommunity ManagerAuthorAnswer
    Community Manager
    April 2, 2026

    Initially posted by ​​​@CS_9946173  on March 30,2026

     

    Hi ​@CM_10720949  

    The article https://www.ptc.com/en/support/article/CS466866 has been updated since the original communications went out.  The CPS information is no longer included in the article.  (You should subscribe to the article and review the change log at the bottom)

     

    After further investigation we have expanded the scope of the recommended workaround to all Windchill releases based on additional potential risks identified.  That is to say that every Windchill Version regardless of CPS should apply the Apache fixes from both CS466866 and  CS466318 

     

    ​​@bmüller  the articles were created independently, while you can combine the fixes into one file, it is recommended to follow the instructions as is for consistency.

    Olivier
    olivierlp
    olivierlpCommunity ManagerAuthor
    Community Manager
    April 2, 2026

    Initially posted by ​​​​​@bmüller  on March 31,2026

     

    Thanks for clarifying. We have already a few additional files so we’ll keep that single file.

    Olivier
    Terms & ConditionsCookie settingsAccessibility statement