WTF: Police responded on Saturday night due to a zero-day
Due to the security vulnerability in Windchill and ZeroPLM, police alerted affected companies. Administrators are irritated.
Police officers on duty to combat zero-days. Symbolic image, colored and ironized.
(Image: C. Nass / Shutterstock.com / Bearbeitung: heise online)
The serious security vulnerability in the products Windchill and FlexPLM prompted police action across Germany over the weekend. At the instigation of the Federal Criminal Police Office (BKA), police officers were deployed nationwide to alert affected companies -- an unprecedented procedure. The administrators, thus disturbed in their weekend, expressed irritation -- some do not even use the vulnerable software.
When the editorial office received a tip late Sunday morning about a critical security vulnerability in Windchill and FlexPLM, it sounded like a routine report: a deserialization vulnerability in specialized software, even with a maximum CVSS score of 10, doesn't usually cause a stir at heise security. Apparently, the BKA reacted quite differently: By then, it had already alerted the state criminal investigation offices (LKA) in various federal states, which sent police officers to affected companies during the night. As several readers reported in the forum, police officers were at company and private premises in the middle of the night.
Videos by heise
3:30 AM in Germany
Their unusual mission: The officers handed over a copy of the letter to the sleepy administrators, which manufacturer PTC had already sent to all customers the day before and which contained instructions for a hotfix. An affected party reports: “The police were at our door at 3:30 AM. A production employee then informed the managing director, who informed me or a colleague.” He wonders about the urgency of the action: “Our servers are only accessible internally and cannot communicate with the WAN. The number of authorized clients is also severely restricted (different VLAN).”
Another reader received a call around 2:45 AM on Sunday morning, which he initially took as a joke -- until the police rang his doorbell shortly thereafter. And to no avail: Although his company uses PTC products, they are not the ones affected by the security vulnerability.
In response to our inquiry, several state criminal investigation offices confirmed the procedure. In a statement, the LKA Thuringia writes: “The Federal Criminal Police Office (BKA) provided the LKA Thuringia with a list of affected companies located in Thuringia. The Central Contact Point for Cybercrime (ZAC) Thuringia then initiated personal contact and attempted to establish telephone contact if personal contact was not made. The goal was to raise awareness and initiate protective measures as quickly as possible. The companies reached had already been informed by PTC Inc. and had taken security measures.”
BKA, PTC, BSI ...
The coordinated and extremely personnel-intensive procedure -- unofficially, over a thousand affected customers in Germany are mentioned -- is very unusual and unique in Germany to date. Especially since neither the federal authority responsible for IT security in Germany, the BSI, nor its US counterpart CISA (Cybersecurity & Infrastructure Security Agency) have issued any particularly loud warnings so far. The BSI published a notice on Monday midday in the Warning and Information Service, while CISA remains silent. Its “Known Exploited Vulnerabilities” list's most recent entry is from March 20th and concerns Apple products.
We asked the BKA, the BSI, and manufacturer PTC for a statement on this very unusual procedure. While PTC and the BKA had not yet responded by early Monday afternoon, the BSI commented cautiously. A spokesperson informed us that the evaluation criteria for security vulnerabilities “include in particular the characteristics of the vulnerability itself, but also the prevalence of the product and other -- possibly mitigating -- framework conditions. A decisive factor is the information provided to users by the manufacturer itself. To the best of the BSI's knowledge, the manufacturer has informed all customers.” Furthermore, the BSI had informed KRITIS operators separately, the agency spokesperson continued: “This is an advantage of registration with the BSI, also within the scope of NIS2.”
Schrödinger's IoC
Also puzzling is PTC's official stance that they currently have “no evidence of confirmed exploitation affecting PTC customers.” Because: Just a few lines below this sentence, apparently intended to reassure customers, PTC lists very specific Indicators of Compromise (IoC), including the presence of a specific class file (GW.class) on attacked systems. If this file is found on a Windchill server, it indicates “that the attacker has successfully weaponized the system before executing Remote Code Execution (RCE).” Schrödinger's IoC: An attacker exists, and malicious code exists on target systems -- yet according to their own statement, no successful attacks have occurred.
We have also asked PTC for a statement on this discrepancy. By early Monday afternoon, the manufacturer had not yet released any patches for the security vulnerability, and the CVE ID CVE-2026-4681 has been added in the meantime. This identifier is necessary to ensure inclusion in structured lists, such as Cyber Threat Intelligence (CTI) feeds.
Modified the article to add the CVE ID.
(cku)
