CISA Urges Immediate Patching: Critical Dassault Systèmes Flaw (CVE-2025-5086) Actively Exploited

Estimated reading time: 7 minutes

Key Takeaways:

  • CISA has issued an urgent alert regarding CVE-2025-5086, a critical vulnerability in Dassault Systèmes DELMIA Apriso.
  • The vulnerability is actively being exploited and could lead to remote code execution.
  • Immediate patching of affected DELMIA Apriso versions (Release 2020-2025) is strongly recommended.
  • Observed attacks originate from IP address 156.244.33.162 and target the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint.
  • PurpleOps offers cybersecurity solutions to help organizations mitigate this threat.

Table of Contents:

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical vulnerability, CVE-2025-5086, affecting Dassault Systèmes DELMIA Apriso. This deserialization flaw is actively being exploited, posing a significant risk to organizations using the affected software. Immediate patching is strongly recommended.

CVE-2025-5086: Critical Dassault Systèmes Flaw in DELMIA Apriso

CVE-2025-5086, a critical deserialization of untrusted data vulnerability within Dassault Systèmes DELMIA Apriso, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This action follows confirmed reports of active exploitation, making it imperative for organizations to address this flaw without delay. The vulnerability affects DELMIA Apriso Release 2020 through Release 2025.

Technical Details of CVE-2025-5086

The vulnerability, which has a CVSS score of 9.0, arises from the deserialization of untrusted data. Deserialization flaws occur when an application processes data from an untrusted source without proper validation. This can allow attackers to inject malicious code that is then executed by the application. In the case of CVE-2025-5086, a successful exploit could lead to remote code execution (RCE), granting the attacker control over the affected system.

Warning sign over industrial software dashboard showing a security alert

According to Dassault Systèmes’ advisory, this vulnerability “could lead to a remote code execution.” The risk is particularly high because DELMIA Apriso is often used in critical manufacturing environments, meaning a successful attack could disrupt operations, compromise sensitive data, and potentially lead to significant financial losses. This highlights the importance of *supply-chain risk monitoring*.

Observed Exploitation Attempts

Dr. Johannes B. Ullrich, Dean of Research at SANS.edu, has confirmed that his team has observed exploitation attempts targeting this vulnerability. The exploit being observed involves a deserialization problem. This real-world confirmation underscores the urgency of applying the available patches.

Attack Vector Details

The observed attacks originate from IP address 156.244.33.162, although its precise geographic location remains unclear. The exploit is delivered through SOAP-based POST requests directed at the following vulnerable endpoint:

/apriso/WebServices/FlexNetOperationsService.svc/Invoke

The payload embeds malicious objects within XML, exploiting .NET deserialization. Analysis of the exploit revealed that it contains two identical Base64-encoded strings. When decoded and decompressed, these strings reveal a GZIP-compressed Windows executable. This executable likely contains the attacker’s malicious code, which is executed on the compromised system.

CISA’s Directive and Federal Agency Requirements

CISA has issued a clear warning that vulnerabilities of this type are common attack vectors. Unpatched DELMIA Apriso servers are at high risk of RCE, potentially leading to a full system compromise. For U.S. federal agencies, CISA has mandated remediation of this flaw by October 2, 2025. This deadline underscores the severity of the threat and the need for immediate action. The broader enterprise community should heed this warning and act accordingly.

Mitigation and Remediation

Dassault Systèmes has released patches for all affected versions of DELMIA Apriso (Release 2020-2025). Organizations are urged to apply these updates immediately. Patching remains the most effective way to address this vulnerability and prevent potential exploitation. Organizations may also consider using a *cyber threat intelligence platform* to monitor for related indicators of compromise. Given the nature of the exploit, network segmentation may also limit the blast radius of a successful attack. Consider using *real-time ransomware intelligence* to identify related attacks.

Practical Takeaways

For Technical Readers:

  • Immediately apply the latest patches released by Dassault Systèmes for DELMIA Apriso.
  • Inspect network traffic for SOAP-based POST requests targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint.
  • Implement network segmentation to contain potential breaches.
  • Monitor system logs for suspicious activity indicative of code execution following deserialization attempts.
  • Consider employing a *breach detection system* to identify anomalous behaviors in real-time.

For Non-Technical Readers:

  • Ensure that your IT department is aware of CVE-2025-5086 and the urgency of patching DELMIA Apriso.
  • Verify that a plan is in place to apply the necessary updates and validate their effectiveness.
  • Inquire about the organization’s incident response plan in the event of a successful exploit.
  • Understand the potential impact of a system compromise on business operations and data security.
  • Inquire about *supply-chain information security* and how it is monitored.

PurpleOps and CVE-2025-5086

PurpleOps provides a comprehensive suite of cybersecurity solutions that can assist organizations in identifying, mitigating, and responding to threats such as CVE-2025-5086. Our services include:

  • Cyber Threat Intelligence: Gain actionable insights into emerging threats and vulnerabilities, including real-time ransomware intelligence, allowing you to proactively defend against attacks.
  • Breach Detection: Employ advanced monitoring and analysis techniques to quickly identify and respond to suspicious activity within your network.
  • Supply-Chain Risk Monitoring: Assess and manage the security risks associated with your vendors and third-party partners.
  • Dark Web Monitoring: Use our dark web monitoring service to detect compromised credentials and data leaks related to your organization.
  • Underground Forum Intelligence: Monitor underground forums to detect discussions and plans targeting your organization.
  • Brand Leak Alerting: Receive alerts when your brand is mentioned in connection with potential security threats.

PurpleOps’ telegram threat monitoring can help organizations stay updated on emerging threats.

By leveraging our expertise and technology, organizations can strengthen their security posture and minimize the impact of vulnerabilities like CVE-2025-5086. We also offer services such as red team operations and penetration testing to help identify weaknesses in your defenses.

A live ransomware API can provide up-to-the-minute data for better protection.

To learn more about how PurpleOps can help protect your organization from cyber threats, please visit our platform or contact us for more information.

FAQ

What is CVE-2025-5086?
CVE-2025-5086 is a critical deserialization of untrusted data vulnerability within Dassault Systèmes DELMIA Apriso that is actively being exploited.

What is the impact of this vulnerability?
A successful exploit could lead to remote code execution (RCE), granting the attacker control over the affected system.

What versions of DELMIA Apriso are affected?
DELMIA Apriso Release 2020 through Release 2025 are affected.

What is the recommended course of action?
Immediate patching of affected DELMIA Apriso versions is strongly recommended.