Skip to content
.ca
sign in
3 mincritical

Cyber Centre Daily Advisory Digest — 2026-03-26 (2 advisories)

The Canadian Centre for Cyber Security issued advisories regarding a critical RCE vulnerability in PTC Windchill and FlexPLM, and an actively exploited critical vulnerability (CVE-2026-33634) that temporarily compromised the Aqua Security Trivy ecosystem supply chain.

Sens:ImmediateConf:highAnalyzed:2026-03-26reports

Authors: Canadian Centre for Cyber Security

Aqua SecurityCVE-2026-33634Supply ChainPTCTrivy

Source:Canadian Centre for Cyber Security

Key Takeaways

  • PTC released an advisory for a critical RCE vulnerability affecting multiple versions of Windchill PDMLink and FlexPLM.
  • Aqua Security reported a critical vulnerability (CVE-2026-33634) affecting the Trivy ecosystem, including trivy, dockerhub images, setup-trivy, and trivy-action.
  • CVE-2026-33634 has been actively exploited in the wild, temporarily compromising the Trivy ecosystem supply chain.

Affected Systems

  • PTC Windchill PDMLink (multiple versions)
  • PTC FlexPLM (multiple versions)
  • trivy v0.69.4
  • trivy dockerhub images v0.69.5 and v0.69.6
  • setup-trivy prior to v0.2.6
  • trivy-action prior to v0.35.0

Vulnerabilities (CVEs)

  • CVE-2026-33634

Attack Chain

The advisory highlights a critical Remote Code Execution (RCE) vulnerability in PTC products and a supply chain compromise affecting the Aqua Security Trivy ecosystem. Threat actors actively exploited CVE-2026-33634 within the Trivy ecosystem, though specific exploitation mechanics and post-compromise actions are not detailed in the digest.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or queries are provided in the advisory digest.

Detection Engineering Assessment

EDR Visibility: Low — The advisory provides no specific IOCs, file names, or process behaviors to monitor via EDR. Network Visibility: Low — No network indicators or C2 domains are provided in the text. Detection Difficulty: Hard — Without specific IOCs or behavioral details, detection relies entirely on identifying vulnerable software versions in the environment.

Required Log Sources

  • Vulnerability Management Scans
  • Software Composition Analysis (SCA) logs
  • Container Registry Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Identify instances of Trivy or PTC Windchill/FlexPLM running vulnerable versions to assess exposure to the reported critical vulnerabilities.Software inventory logs, container image manifestsInitial AccessLow

Control Gaps

  • Lack of visibility into third-party container image vulnerabilities (Trivy supply chain)

Key Behavioral Indicators

  • Presence of trivy v0.69.4, trivy dockerhub images v0.69.5/v0.69.6, setup-trivy < v0.2.6, or trivy-action < v0.35.0

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and update vulnerable versions of PTC Windchill PDMLink and FlexPLM.
  • Update trivy, setup-trivy, and trivy-action to patched versions immediately due to active exploitation of CVE-2026-33634.

Infrastructure Hardening

  • Review CI/CD pipelines for compromised Trivy dockerhub images (v0.69.5 and v0.69.6) and replace them with secure versions.

User Protection

  • N/A

Security Awareness

  • Monitor vendor advisories from PTC and Aqua Security for further updates and mitigation steps.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain

Related