What is CVE-2025-5086 and why is CISA issuing urgent warnings about it?

CVE-2025-5086 is a critical-severity vulnerability with a CVSS score of 9.0 affecting DELMIA Apriso factory software. It's a deserialization of untrusted data issue that enables remote code execution (RCE) capabilities. CISA has issued urgent warnings because threat actors are actively exploiting this vulnerability in the wild, making it an immediate threat to organizations using the affected software.

What is DELMIA Apriso and which industries use it?

DELMIA Apriso is a widely deployed Manufacturing Operations Management (MOM) and Manufacturing Execution System (MES) software platform developed by French company Dassault Systèmes. It's designed for manufacturing process management and serves as a bridge connecting factory equipment with Enterprise Resource Planning (ERP) systems. It's used across multiple industries including aerospace and defense, automotive, high-tech electronics, and industrial equipment sectors.

Which versions of DELMIA Apriso are affected by CVE-2025-5086?

Multiple versions spanning several years are affected: DELMIA Apriso Release 2020 Golden through Release 2020 SP4, Release 2021 Golden through Release 2021 SP3, Release 2022 Golden through Release 2022 SP3, Release 2023 Golden through Release 2023 SP3, Release 2024 Golden through Release 2024 SP1, and Release 2025 Golden through Release 2025 SP1.

How are attackers exploiting the DELMIA Apriso vulnerability?

Attackers are exploiting CVE-2025-5086 through SOAP-based POST requests targeting the vulnerable endpoint `/apriso/WebServices/FlexNetOperationsService.svc/Invoke`. They deliver malicious payloads through XML-embedded objects that leverage .NET deserialization vulnerabilities, allowing them to execute arbitrary code on vulnerable systems.

What should organizations do to protect against CVE-2025-5086?

Organizations operating DELMIA Apriso systems should immediately: 1) Identify all instances within their networks, 2) Assess version status to determine if they're running affected versions, 3) Implement emergency patching or compensating controls. For environments where immediate patching is not feasible due to production requirements, security teams should implement network isolation controls as a temporary measure.

When was CVE-2025-5086 first disclosed and when was exploitation discovered?

CVE-2025-5086 was initially publicly disclosed by Dassault Systèmes on June 2, 2025, though the vendor's advisory provided limited technical details. Active exploitation of the vulnerability was first documented three months later on September 3, 2025, by Johannes Ullrich of the SANS Internet Storm Center.

Advisory

Critical flaw in DELMIA Apriso manufacturing software under active exploitation

Q: Is CVE-2025-5086 being actively exploited by attackers?

Yes, CVE-2025-5086 is being actively exploited in the wild. Active exploitation was first documented by Johannes Ullrich of the SANS Internet Storm Center on September 3, 2025. Security researchers observed attack traffic originating from IP address 156.244.33.162, with exploitation attempts utilizing SOAP-based POST requests targeting the vulnerable endpoint.

Q: What type of vulnerability is CVE-2025-5086?

CVE-2025-5086 is a deserialization of untrusted data vulnerability. Deserialization flaws occur when untrusted or attacker-controlled data is processed by an application without proper validation, allowing malicious objects to trigger arbitrary code execution on vulnerable systems. This type of vulnerability is particularly dangerous because it can lead to complete system compromise.

published: Sept. 12, 2025

Take action: If you use DELMIA Apriso factory software (any version from 2020 to 2025), make sure it's isolated and accessible only from trusted networks. Then check for security patches from Dassault Systèmes and apply them right away. Attackers are actively exploiting this system.

Learn More

CISA has issued an urgent warning about threat actors actively exploiting a critical-severity vulnerability in DELMIA Apriso factory software developed by French company Dassault Systèmes.

DELMIA Apriso is a widely deployed Manufacturing Operations Management (MOM) and Manufacturing Execution System (MES) software platform designed for manufacturing process management. The system serves as a bridge connecting factory equipment with Enterprise Resource Planning (ERP) systems and is used in multiple industries including aerospace and defense, automotive, high-tech electronics, and industrial equipment sectors.

The vulnerability is tracked as CVE-2025-5086 (CVSS score 9.0) and is a deserialization of untrusted data issue that enables remote code execution (RCE) capabilities. Deserialization flaws occur when untrusted or attacker-controlled data is processed by an application without proper validation, allowing malicious objects to trigger arbitrary code execution on vulnerable systems.

Affected Versions:

DELMIA Apriso Release 2020 Golden through Release 2020 SP4
DELMIA Apriso Release 2021 Golden through Release 2021 SP3
DELMIA Apriso Release 2022 Golden through Release 2022 SP3
DELMIA Apriso Release 2023 Golden through Release 2023 SP3
DELMIA Apriso Release 2024 Golden through Release 2024 SP1
DELMIA Apriso Release 2025 Golden through Release 2025 SP1

The vulnerability was initially publicly disclosed by Dassault Systèmes on June 2, 2025, but the vendor's advisory provided limited technical details beyond confirming the remote code execution potential.

Active exploitation of CVE-2025-5086 was first documented by Johannes Ullrich of the SANS Internet Storm Center on September 3, 2025. Security researchers observed attack traffic originating from IP address 156.244.33.162. The exploitation attempts utilize SOAP-based POST requests targeting the vulnerable endpoint /apriso/WebServices/FlexNetOperationsService.svc/Invoke, delivering malicious payloads through XML-embedded objects leveraging .NET deserialization vulnerabilities.

Organizations operating DELMIA Apriso systems should immediately identify all instances within their networks, assess version status, and implement emergency patching or compensating controls. For environments where immediate patching is not feasible due to production requirements, security teams should implement network isolation controls.

Critical flaw in DELMIA Apriso manufacturing software under active exploitation

Read More
IGL-Technologies Patches Critical Authentication Bypass in eParking.fi Platform
Pharos Controls Patches Critical Root Access Flaw in …
Critical vulnerability reported in Milesight UR32L industrial routers
Critical flaws reported in Planet Technology's WGS-804HPT industrial …
Siemens reports critical flaws in SiPass access control …