CVE-2025-5086
published 2025-06-02CVE-2025-5086: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
PriorityP194critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-02
Exploited in the wild
EPSS
89.08%
99.8th percentile
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3ds | delmia_apriso | 2020 – 2025 | — |
| dassault_syst_mes | delmia_apriso | Release 2020 Golden – Release 2020 SP4 | — |
| dassault_syst_mes | delmia_apriso | Release 2021 Golden – Release 2021 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2022 Golden – Release 2022 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2023 Golden – Release 2023 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2024 Golden – Release 2024 SP1 | — |
| dassault_syst_mes | delmia_apriso | Release 2025 Golden – Release 2025 SP1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/apriso/WebServices/FlexNetOperationsService.svc/Invoke
otherhttp://tempuri.org/IFlexNetOperationsService/Invoke
othershodan-query: html:"apriso"
otherbody="/Apriso/Portal"
bytes
H4sIAAAAAAAEAO1WzW8bVRD/reO0jtNYSQulEVXZ1ClK+Vg5jYNKhUgaO61D86U4dStUKVmvX5Ot1rur3efEyQEqIapy41AhcUAcuPRQQQ+VqCohITj1EIkDXDj1D0DiwAUQIsx7u/6IY9RcUCWUcXbezLyZN795n5l592N0AIjSt70NPERA43g63aQv8dKjBB50bQ08VKa3BhZXTV91PWfF08uqodu2w9UiU72KrZq2mp3Lq2WnxLSenvhgOMb8JDCtdOD70bHV2rhPEBnoVrqBAwg+ohMiQK0D65VyJMANNFoJKhKIHRj/ULiKv0ZbbyT9kAQuhQXfjbQpchk4tIe52EWEL9akxkjPNekaZ1VO7WA08JV1tuQn87Lm+Z6BEBthlIXGdvqReVzzmOUYIdblcKxDu/wmduEMFyInQzpRpaRXaUMoeyixHX0SGaLo+BDBjDudglFhcY+Gcz2aatc5SOorBCT/zoQSZhEw19JaShtJjQy/KSydsIgfp+7ke8BtageFnOeeaa/4wuNeJJiO5OU8fokEa5q8eHkqS+1fpF8T+oTlFENcZFIuPgd0CeXPUyM4GtRYm3YhH2ySO2RUPER4AKdxkngBbxBfIx7HXXxG/FviCfyBn6WfEnLx68ULshIhz6vCfutYSo7YhxTF9ENoXZIP4AGOE9+i7zR6lJcxjH7lVWjoJknDEZxD9GbrXN9B076Xeftl22w7QvhabQrVUqe3ZpxSxWJv4/q6yaubqWGtZFmYRNk3HM8yi8hv+JyVMVe8wQwOzeCOF9q0hYrNzTLTMk7ZNS3m5Zm3ZhrMR2DQuenYC8zSq1Lyz3Nav2KFM4SBwo26iqZl8o1Gbw1JLc0VVkSOczfj2PLUrDC+lKl4HrO5tC8w36XhmeyoK2FwxrEsAi7ya3mXGaZumZushFm9zAq6VWENBxmfY3qJeT58kqdE4UQD8/Dg4AYYDHBkYcInyaGdwKhnA3jRkPLrOEPreQajJI2SdJZ2ioJPv/rxg+SdL3O3fvvi5KPH332O2Neb1wr96ScfdahQoqqixGL3x5be7/spfo7W6XBfVMXh5wXr71QjSiIRU8Ijf0JspsXI0Sue7s469mTVYK5AvrjqOeu+2H2/JxtLm6jdme2odgFjKeN4Wcua0U07WHTG5BYQtH2K4nv/ZYR9+t+RIhf7WPCK7rCLvZVqYxck3o6r4/SON71f05E08QLyWCI+iQWSpjCHWdKniF8gWdA30V//bvfajIWtuLdan+WszFyATmfvAp1Fi07eFGxcpxMpaFBGLVKvTlaf+nU6tSb12uEI96P3FDFGnuwe9dDRbzPSbemTqv/SKIo5wGuESKn7Z+kTt4EYx92RR5VzFmvyLcj7wm/ySdHt3vjoOkYP+QsMXPrahN2i+dJRJh2EbJ2iOarYJH/xNpSoPzitQxLXNPmtyKgMZXHpdhLIVrAKHmLKyhxzod0Mc9Qw2nvKlZZ1BfdiCRV5L7ZW11rbWRlznjx88izTbFqETn1q3D79h6QG/3+p6WcNZJ+eBf0DwmVsFgAOAAA=
- →Exploit delivers a malicious SOAP request to the FlexNetOperationsService endpoint with a Base64-encoded, GZIP-compressed .NET executable embedded in the XML body ↗
- →Nuclei template matches on HTTP 500 response with content-type text/xml after sending the exploit SOAP request — use this triplet as a detection condition
- →Hunt for Apriso-exposed assets using Shodan query html:"apriso" or FOFA query body="/Apriso/Portal" to identify attack surface
- →Monitor HTTP POST requests to /apriso/WebServices/FlexNetOperationsService.svc/Invoke with SOAPAction header set to the IFlexNetOperationsService/Invoke action
- ·The source IP 156.244.33[.]162 is described as likely associated with automated scans, not necessarily a persistent threat actor infrastructure ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
cisa·2025-09-11·CVSS 9.0
CVE-2025-5086 [CRITICAL] CWE-502 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
Vulnerability: Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
Affected: Dassault Systèmes DELMIA Apriso
Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5086
Remediation Due Date: 2025-10-02
GHSA
GHSA-7c63-xmgg-xrx5: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025Â could lead to a remote code executio
ghsa_unreviewed·2025-06-02
CVE-2025-5086 [CRITICAL] CWE-502 GHSA-7c63-xmgg-xrx5: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025Â could lead to a remote code executio
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025Â could lead to a remote code execution.
VulnCheck
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-5086 [CRITICAL] CWE-502 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.
Affected: Dassault Systèmes DELMIA Apriso
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-5086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-31&host_type=src&vulnerability=cve-2025-5086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-02&host_type=src&vulnerability=cve-2025-5086; https://da
No detection rules found.
Nuclei
Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
nuclei·CVSS 9.0
CVE-2025-5086 [CRITICAL] Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
Template:
id: CVE-2025-5086
info:
name: Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
author: hacktronai,iamnoooob,pdresearch
severity: critical
description: |
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
impact: |
Unauthenticated attackers can exploit unsafe deserialization to execute arbitrary code on DELMIA Apriso servers, achieving complete system compromise.
remediation: |
Upgrade DELMIA Apriso to a version later than Release 2025
Bleepingcomputer
CISA warns of two more actively exploited Dassault vulnerabilities
blogs_bleepingcomputer·2025-10-28·CVSS 9.0
CVE-2025-6205 [CRITICAL] CISA warns of two more actively exploited Dassault vulnerabilities
## CISA warns of two more actively exploited Dassault vulnerabilities
## Sergiu Gatlan
The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes' DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution.
The first one ( CVE-2025-6205 ) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched application, while the second ( CVE-2025-6204 ) is a high-severity code injection vulnerability that lets attackers with high privileges execute arbitrary code on vulnerable systems.
French company Dassault Systèmes patched the two flaws in early August 2025, when it also confirme
Bleepingcomputer
CISA warns of actively exploited Dassault RCE vulnerability
blogs_bleepingcomputer·2025-09-12·CVSS 9.0
CVE-2025-5086 [CRITICAL] CISA warns of actively exploited Dassault RCE vulnerability
## CISA warns of actively exploited Dassault RCE vulnerability
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers exploiting a critical remote code execution flaw in DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution from French company Dassault Systèmes.
The agency added the vulnerability, tracked as CVE-2025-5086 and rated with a critical severity score (CVSS v3: 9.0), to the Known Exploited Vulnerabilities (KEV).
DELMIA Apriso is used in production processes for digitalizing and monitoring. Enterprises worlwide rely on it to schedule production, for quality management, allocate resources, warehouse management, and for integration between production equipment and business applications.
It is typi
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-06-02
Published
2025-09-11
Added to CISA KEV
Exploited in the wild