CVE-2025-5086 Overview
CVE-2025-5086 is a critical insecure deserialization vulnerability affecting Dassault Systèmes DELMIA Apriso, a widely deployed manufacturing execution system (MES) used in industrial environments. The vulnerability exists in how the application processes untrusted serialized data, allowing remote attackers to execute arbitrary code on affected systems without authentication.
DELMIA Apriso is used extensively in manufacturing operations for production management, quality control, and supply chain visibility. Successful exploitation of this vulnerability could allow attackers to gain complete control over the affected system, potentially disrupting manufacturing operations or pivoting to other critical infrastructure within the operational technology (OT) environment.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations using DELMIA Apriso should apply patches immediately or implement mitigations.
Affected Products
- DELMIA Apriso Release 2020
- DELMIA Apriso Release 2021 through Release 2024
- DELMIA Apriso Release 2025
Discovery Timeline
- June 2, 2025 - CVE-2025-5086 published to NVD
- October 29, 2025 - Last updated in NVD database
Technical Details for CVE-2025-5086
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-known class of vulnerabilities that occurs when an application deserializes data from an untrusted source without adequate validation. In the context of DELMIA Apriso, the application accepts serialized objects over the network and processes them without properly verifying their integrity or origin.
Deserialization vulnerabilities are particularly dangerous because they can allow attackers to craft malicious serialized objects that, when deserialized by the application, trigger arbitrary code execution. The attacker does not need to authenticate to the application, and successful exploitation grants them the ability to execute commands with the privileges of the application process.
The network-accessible nature of this vulnerability combined with the lack of required user interaction makes it especially concerning for industrial environments where DELMIA Apriso systems may be exposed on corporate networks or, in some cases, accessible from the internet.
Root Cause
The root cause of CVE-2025-5086 lies in the application's failure to properly validate and sanitize serialized data before processing it. When DELMIA Apriso receives serialized objects, it deserializes them without verifying that the data originates from a trusted source or that the object types being deserialized are safe.
This allows attackers to craft malicious payloads containing gadget chains—sequences of existing application classes that, when combined during deserialization, achieve arbitrary code execution. The application's classpath likely contains libraries with known dangerous deserialization gadgets that attackers can leverage.
Attack Vector
The attack is conducted over the network without requiring authentication or user interaction. An attacker can send specially crafted serialized payloads to the vulnerable DELMIA Apriso endpoint. When the application deserializes this malicious data, it triggers the execution of attacker-controlled code.
According to the SANS Internet Storm Center analysis, active exploit attempts have been observed targeting this vulnerability. The attack typically involves:
- Identifying exposed DELMIA Apriso instances
- Crafting a malicious serialized payload with an appropriate gadget chain
- Sending the payload to the vulnerable endpoint
- Achieving code execution when the application deserializes the malicious object
The vulnerability does not require authentication, making internet-exposed instances particularly at risk.
Detection Methods for CVE-2025-5086
Indicators of Compromise
- Unexpected outbound network connections from DELMIA Apriso servers to unknown IP addresses
- Unusual process spawning from the DELMIA Apriso application process
- Presence of suspicious serialized payloads in network traffic targeting DELMIA Apriso endpoints
- Anomalous file system activity or new files created in application directories
- Authentication or authorization bypass attempts in application logs
Detection Strategies
- Deploy network intrusion detection signatures to identify known deserialization exploit patterns targeting DELMIA Apriso
- Monitor for unusual Java or .NET deserialization activity patterns in application logs
- Implement endpoint detection rules to identify suspicious child processes spawned by the DELMIA Apriso application
- Review network traffic for serialized object payloads containing known gadget chain signatures
Monitoring Recommendations
- Enable verbose logging on DELMIA Apriso instances to capture detailed request information
- Implement network segmentation monitoring to detect lateral movement from compromised MES systems
- Deploy SentinelOne agents on DELMIA Apriso servers to detect and block exploitation attempts in real-time
- Establish baseline behavior for DELMIA Apriso processes and alert on deviations
How to Mitigate CVE-2025-5086
Immediate Actions Required
- Apply the latest security patches from Dassault Systèmes immediately for all affected DELMIA Apriso installations
- Restrict network access to DELMIA Apriso systems to only authorized hosts and networks
- Ensure DELMIA Apriso instances are not directly exposed to the internet
- Implement network segmentation to isolate MES systems from general corporate networks
- Deploy application-layer firewalls or web application firewalls (WAF) to filter malicious requests
Patch Information
Dassault Systèmes has released security updates to address this vulnerability. Administrators should consult the 3DS Security Advisories page for the latest patch information and update instructions specific to their DELMIA Apriso version.
Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, federal agencies and critical infrastructure operators are required to remediate this vulnerability according to established timelines.
Workarounds
- If patching is not immediately possible, isolate DELMIA Apriso systems behind strict network access controls
- Implement input validation at the network perimeter to block known malicious serialized payloads
- Disable or restrict access to vulnerable deserialization endpoints if not required for operations
- Consider deploying runtime application self-protection (RASP) solutions to detect and block deserialization attacks
# Example network isolation using iptables (adjust IPs and ports as needed)
# Restrict access to DELMIA Apriso to specific management networks only
iptables -A INPUT -p tcp --dport 443 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
