John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
German police showed up at factory doors this week. Not to investigate a crime. To warn companies about a software vulnerability that doesn’t have a patch yet.
That’s not normal. Pay attention.
CVE-2026-4681 is a critical remote code execution flaw in PTC Windchill. Deserialization of untrusted data, code injection, full server takeover. CISA added it to the Known Exploited Vulnerabilities catalog. The advisory came jointly from CISA and Germany’s BSI. Transatlantic coordination on a single PLM software flaw is rare. When both agencies commit to that level of effort, they’ve decided the risk justifies it.
There’s still no patch available. That’s the uncomfortable part.
And Windchill isn’t just any enterprise software. It’s the system manufacturers, defense contractors, and aerospace companies use to manage product designs, engineering specs, and production processes. A successful exploit doesn’t just hand over network access. It potentially hands over years of proprietary engineering work. Design files. Build documentation. For a defense contractor, that’s a different category of catastrophic than a billing system ransomware hit.
Law enforcement visiting industrial facilities before a patch ships sends one clear message: the window between “vulnerability known” and “active exploitation” is very short. Too short for normal change management to protect you.
CISA’s compensating controls are your only real option right now. Implement them. Segment Windchill off from internet-facing systems if you haven’t already. Watch for the patch yourself; don’t wait for your vendor process to surface it.
No confirmed US exploitation as of publication. But “imminent” from CISA, combined with in-person police outreach from BSI, is about as loud as these agencies get before an incident happens.