CVE-2025-5086 Overview
CVE-2025-5086 is a deserialization of untrusted data vulnerability in Dassault Systèmes DELMIA Apriso, a manufacturing operations management (MOM) platform widely deployed in industrial environments. The flaw affects every release from 2020 through 2025 and allows remote attackers to achieve arbitrary code execution on vulnerable servers. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The SANS Internet Storm Center has also published telemetry showing in-the-wild exploit attempts targeting exposed Apriso instances.
Critical Impact
Unauthenticated remote attackers can execute arbitrary code on DELMIA Apriso servers, compromising manufacturing operations and pivoting into operational technology environments.
Affected Products
- Dassault Systèmes DELMIA Apriso Release 2020
- Dassault Systèmes DELMIA Apriso Releases 2021 through 2024
- Dassault Systèmes DELMIA Apriso Release 2025
Discovery Timeline
- 2025-06-02 - CVE-2025-5086 published to NVD
- 2025-10-29 - Last updated in NVD database
- Confirmed - Added to CISA Known Exploited Vulnerabilities catalog
Technical Details for CVE-2025-5086
Vulnerability Analysis
The vulnerability is classified as [CWE-502] Deserialization of Untrusted Data. DELMIA Apriso accepts serialized objects from network-facing interfaces without validating their contents before reconstruction. When the application deserializes attacker-supplied data, it can be coerced into instantiating malicious gadget chains that lead to arbitrary code execution under the privileges of the application server process.
DELMIA Apriso is deployed by manufacturers to coordinate production scheduling, quality, warehouse, and maintenance operations. Compromise of an Apriso server gives attackers a foothold adjacent to operational technology (OT) networks and access to sensitive production data. The high EPSS percentile reflects the active exploitation activity recorded by public telemetry sources.
Root Cause
The root cause is the application's acceptance of serialized objects from untrusted sources without type filtering, integrity checking, or allow-list validation. The deserializer reconstructs arbitrary classes referenced in the payload, which enables gadget chains that invoke methods leading to command execution.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker sends a crafted serialized payload to an internet-exposed or internally reachable DELMIA Apriso endpoint. According to the SANS Internet Storm Center, observed exploit attempts deliver serialized payloads to Apriso web service endpoints to trigger code execution. See the SANS Exploit Attempts Diary for traffic samples and indicators.
No verified public proof-of-concept code is referenced in the available advisories. Defenders should treat any unexpected serialized traffic to Apriso services as suspicious.
Detection Methods for CVE-2025-5086
Indicators of Compromise
- Unexpected POST requests containing serialized .NET or binary object signatures targeting DELMIA Apriso web service endpoints
- New child processes spawned by the Apriso application server, particularly cmd.exe, powershell.exe, or scripting hosts
- Outbound network connections from the Apriso server to unfamiliar external hosts following inbound HTTP requests
- Refer to the SANS Exploit Attempts Diary for observed exploit traffic patterns
Detection Strategies
- Inspect HTTP request bodies to Apriso endpoints for serialized object headers and known deserialization gadget class names
- Monitor the Apriso application server process for anomalous child process creation and file write activity in web-accessible directories
- Alert on creation of new scheduled tasks, services, or persistence artifacts on hosts running DELMIA Apriso
Monitoring Recommendations
- Forward web server, IIS, and application logs from Apriso hosts to a centralized SIEM for correlation against KEV-listed exploitation patterns
- Enable command-line auditing on Apriso servers to capture process arguments associated with post-exploitation activity
- Track east-west traffic between Apriso servers and OT or ERP segments to detect lateral movement following compromise
How to Mitigate CVE-2025-5086
Immediate Actions Required
- Apply the security updates published in the 3DS Security Advisories portal for all affected DELMIA Apriso releases from 2020 through 2025
- Restrict network access to Apriso web services so that only authorized internal hosts can reach them, and remove any internet exposure
- Hunt retroactively for the indicators listed in the CISA Known Exploited Vulnerabilities entry, since exploitation is confirmed in the wild
Patch Information
Dassault Systèmes has published fixed versions through its customer support and advisory portal. Customers must authenticate to the 3DS Security Advisories site to retrieve the specific patches for each affected release. CISA's KEV listing establishes a binding remediation deadline for U.S. federal agencies and serves as a benchmark for private-sector urgency.
Workarounds
- Place Apriso web services behind a reverse proxy or web application firewall configured to block serialized object payloads in request bodies
- Segment Apriso servers from operational technology networks using strict firewall rules until patching is complete
- Disable any unused Apriso web service endpoints to reduce attack surface
# Example firewall rule to restrict Apriso access to an internal management subnet
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
