[German]The Windchill and ZeroPLM software systems contain critical vulnerabilities (CVS Index 10.0) that companies using these products should have been aware of since the weekend. These vulnerabilities have prompted various German state criminal investigation offices to send police officers to visit system administrators, a inform them to take action (a move that has caused quite a stir).
Vulnerabilities in Windchill & FlexPLM
Windchill is a data management software that enables the dynamic analysis of enterprise data. The PTC Community features a post titled "Critical vulnerability CVSS10.0 " dated March 21, 2026, which highlights critical vulnerabilities (CVSS 10.0) in the Windchill and FlexPLM products. There is also a security alert titled "Notice of Windchill and FlexPLM Critical Vulnerability March 20, 2026," which lists the affected versions of Windchill and FlexPLM.
This is a remote code execution (RCE) vulnerability that can be exploited through the deserialization of untrusted data. The CVSS v3.1 base score is listed as 10.0 (critical). As of March 22, 2026, there are currently no reports of confirmed attacks affecting PTC customers.
The post states that until official patches are available, customers must urgently take measures for all publicly accessible Windchill systems to protect their environments. The linked security advisory describes how the Apache HTTP server configuration for each Windchill or FlexPLM system should be secured.
Germany CERT send Police to warn administrators
According to my information, the vendor has directly notified its customers via email about the above security issue. Since I've been away since Friday, the whole process has somewhat passed me by. But on Saturday/Sunday night (March 21,/22, 2026), German state criminal investigation offices decided to send police officers to system administrators and inform them to take actions (or tried to contact the administrators by phone calls). No further information was given, why the police take this action.
