Police Fanned Out Early Sunday Brandishing an Advisory of a CVSS 10 Vulnerability
David Meyer •
March 25, 2026 Â Â
German police apparently on their way to wake up a system administrator at 3 a.m. (Image: Shutterstock)
Police officers across Germany roused corporate IT administrators during the early hours of Sunday morning. Their message to bleary-eyed admins was to immediately patch a critical vulnerability in popular product lifecycle management software from U.S. vendor PTC.
See Also: AI Impersonation Is the New Arms Race—Is Your Workforce Ready?
The cops warned the admins that they expected criminal actors to immediately begin exploiting a vulnerability in PTC’s Windchill software for manufacturers and its FlexPLM offering for brands and retailers. They said the attackers could use the flaw to exfiltrate data and install crypto-locking ransomware.
The still-unpatched vulnerability, tracked as CVE-2026-4681 and WID-SEC-2026-0822 by Germany’s Federal Office for Information Security, carries a CVSS v4 base score of 9.3 and a maximal CVSS v3.1 base score of 10. The flaw could allow remote code execution through the deserialization of untrusted data – that is, converting such data into a usable object in memory.
An advisory from PTC noted “no evidence of confirmed exploitation affecting PTC customers,” but listed known indicators of compromise. “If any of the IOCs are identified on the Windchill Server, please immediately notify your company’s security team to initiate your company’s response plan,” it reads.
The advisory details Apache and IIS HTTP server workarounds that should be applied urgently, whether or not the deployments are publicly accessible over the internet. If they are publicly accessible and the workarounds cannot be quickly applied, the advice is to disconnect the systems from the internet. “Effective immediately, PTC is granting 24×7 customer support access and coverage to all PTC customers regardless of support level to address all matters specific to this vulnerability,” the advisory states.
Mach Schneller! Es Gibt Eine CVE!
But what’s most notable about this vulnerability is the extraordinary measures that Germany’s Federal Criminal Police Office took to urge companies’ admins to apply those updates.
As recounted by many people in the comments sections of German cybersecurity publication Heise, IT blog BornCity, as well as in a Reddit thread, state police showed up at some admins’ private homes around 3 a.m. or 4 a.m. on Sunday morning, brandishing physical copies of the advisory that PTC emailed out to customers the previous day. The cops had in some cases tried calling the admins shortly before the visits, only for those people – at least, those who woke up – to suspect scams or pranks and decline to take the calls. Some recounted their companies did not even use the affected PTC products.
“We’re surprised by this approach, as PTC usually handles such vulnerabilities relatively calmly. They’re typically fixed in the next CPS update,” read a typical comment on Heise’s site. “This level of activism is unprecedented.” Nobody in any of these forums suggested that they had experienced anything like this police action before.
Detective Chief Inspector Philipp Hasse, a spokesperson for the Lower Saxony State Criminal Police Office, told Information Security Media Group on Wednesday that the Federal Criminal Police Office – BKA in its German acronym – provided his office with a list of affected companies in the state. He said the state’s central cybercrime contact point started phoning and visiting the companies on Saturday evening.
“The goal was to raise awareness and implement protective measures as quickly as possible,” Hasse said. “If a company could not be reached by telephone, it was informed by email. This notification included a warning about the critical vulnerability, specific recommendations for minimizing risks and the mitigation measures published by the vendor. The Lower Saxony State Criminal Police Office considers the effectiveness and appropriateness of this immediate notification to be targeted and effective in protecting the affected companies from further and serious damage as quickly as possible.”
Hasse also confirmed the authenticity of an email that his office sent out, which was reported by a reader of the BornCity blog. It told recipients that there was “concrete evidence” of the affected software being used in their companies.
“Based on current findings, it can be assumed that the vulnerability in the Windchill software is intended to be exploited by criminal actors to potentially compromise systems, steal the data contained therein, and execute encryption software (ransomware) and that a cyberattack is therefore imminent,” the email read. “Therefore, an independent review is requested. It is expected that the perpetrators could exploit the vulnerability as early as this weekend.”
PTC did not responded to a request for comment at the time of publication. But, according to the BKA, all this is standard procedure.
“If a concrete threat exists in the overall police assessment, this information is regularly passed on to the state criminal police offices within the framework of the BKA’s central office function and they are asked to support the official warning process in their respective areas of responsibility,” a spokesperson told ISMG on Wednesday.
“Last Friday, the Federal Criminal Police Office became aware of a critical vulnerability in a software product of a U.S. software manufacturer and, following established procedures, informed the state criminal police offices.”