German Police Wake System Admins Over Critical PTC Software Flaw
Police officers across Germany took the extraordinary step of waking corporate IT administrators in the early hours of Sunday morning to address a critical vulnerability in product lifecycle management (PLM) software from U.S. Vendor PTC. The vulnerability, which carries a CVSS v4 base score of 9.3 and a maximal CVSS v3.1 base score of 10, posed an immediate threat of data exfiltration and ransomware attacks.
Urgent Response to a High-Severity Vulnerability
The vulnerability, tracked as CVE-2026-4681 and WID-SEC-2026-0822 by Germany’s Federal Office for Information Security (BSI), affects PTC’s Windchill software for manufacturers and its FlexPLM offering for brands and retailers. The flaw allows for remote code execution through the deserialization of untrusted data. PTC’s advisory stated there was no evidence of confirmed exploitation affecting customers at the time of release, but provided indicators of compromise (IOCs) for organizations to monitor.
Unprecedented Police Intervention
What distinguished this vulnerability response was the proactive and direct intervention by German law enforcement. Reports from German cybersecurity publications Heise and BornCity, as well as a Reddit thread, detail instances of police officers physically visiting system administrators’ homes as early as 3 a.m. Or 4 a.m. On Sunday, delivering copies of PTC’s advisory.
Detective Chief Inspector Philipp Hasse, a spokesperson for the Lower Saxony State Criminal Police Office, explained that the Federal Criminal Police Office (BKA) provided a list of affected companies to his office. The state’s cybercrime contact point then initiated phone calls and visits to these companies on Saturday evening. “The goal was to raise awareness and implement protective measures as quickly as possible,” Hasse said. If phone contact failed, companies were notified by email, including a warning about the critical vulnerability and mitigation recommendations.
BKA Justification and Support
According to the BKA, this level of intervention is standard procedure when a concrete threat is identified. A BKA spokesperson stated that when a critical vulnerability is detected, the information is shared with state criminal police offices, who are then asked to support the warning process within their jurisdictions. An email sent by the Lower Saxony State Criminal Police Office, reported by BornCity, warned recipients of “concrete evidence” that the affected software was in use within their companies and that a cyberattack was “imminent.”
Mitigation and Support
PTC advised applying urgent workarounds for Apache and IIS HTTP servers, regardless of public accessibility. If systems are publicly accessible and workarounds cannot be implemented quickly, disconnecting them from the internet was recommended. PTC also announced 24/7 customer support access for all customers to address the vulnerability.