PTC Windchill — CVE-2026-4681 Critical Active Exploitation

PTC Windchill — CVE-2026-4681 Critical Active Exploitation

PTC Windchill: Active Exploitation Confirmed (CVE-2026-4681)

Confidence: High

The high-severity vulnerability in PTC Windchill Product Lifecycle Management (PLM) software, tracked as CVE-2026-4681 (CVSS 10.0), is now being actively exploited in the wild. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 25, 2026, marking a significant escalation for manufacturing and engineering firms that rely on the platform for critical IP management. The flaw allows for unauthenticated remote code execution (RCE) and represents a Tier-1 risk to industrial supply chains. Organisations must prioritise manual mitigations and vendor-issued patches immediately, as attackers are already bypassing legacy security controls to target PLM databases.

Akira Ransomware: Systematic Targeting of UK Construction Sector

Confidence: High

The Akira ransomware group has significantly expanded its campaign against the UK construction and engineering sector, listing two major firms—Galliford Try and Kier Group—as victims within the last 24 hours. This follows the targeting of Angus-Young Associates yesterday, confirming a coordinated effort to disrupt the UK’s building and infrastructure supply chain. The campaign appears focused on exfiltrating sensitive project data and financial records, creating substantial downstream risks for sub-contractors and clients within the Critical National Infrastructure (CNI) space. UK construction firms should immediately review their backup integrity and monitor for Akira-specific TTPs.

Progress WhatsUp Gold: Day-1 Active Scanning (CVE-2026-5102)

Confidence: High

A new critical SQL injection vulnerability in Progress WhatsUp Gold, tracked as CVE-2026-5102 (CVSS 9.8), is currently under active internet-wide scanning. GreyNoise detected reconnaissance and exploitation attempts within six hours of the vulnerability’s disclosure on March 25. The flaw allows unauthenticated attackers to execute arbitrary code on the underlying server, potentially compromising the entire network monitoring environment. Administrators must update to version 24.1.2 or later immediately to mitigate this risk.

Update: pac4j-jwt Public PoC Available (CVE-2026-29000)

Confidence: High

A public Proof-of-Concept (PoC) exploit for the authentication bypass vulnerability in the pac4j-jwt Java library (CVE-2026-29000, CVSS 10.0) has been published to GitHub. This significantly lowers the barrier to exploitation, upgrading the risk level for Java-based authentication middleware to EXTREME. Organisations using pac4j for JWT validation must audit their dependencies and apply the latest security patches.

Why This Matters

The shift from disclosure to active exploitation of PTC Windchill (CVE-2026-4681) represents a direct threat to the integrity of global manufacturing IP. Furthermore, the systematic targeting of the UK construction sector by Akira suggests a strategic shift in ransomware operations towards essential infrastructure and its supporting supply chains. These developments, combined with "Day-1" scanning of network management tools like WhatsUp Gold, leave no window for delayed patching.

• Recommended Actions
• Patch PTC Windchill (CVE-2026-4681) immediately; prioritise systems with direct internet exposure or those containing sensitive engineering designs.
• Update Progress WhatsUp Gold to version 24.1.2 or later to mitigate CVE-2026-5102; monitor for anomalous SQL activity on monitoring servers.
• UK Construction firms should urgently audit their perimeter security and backup air-gapping in response to the Akira campaign against Galliford Try and Kier Group.
• Audit pac4j-jwt dependencies in Java applications and test against the new public PoC (CVE-2026-29000).

All findings grounded in A13E intelligence sweeps through 07:30 UTC 26 March 2026.