cbcvebase.
CVE-2025-5086
published 2025-06-02

CVE-2025-5086: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.

PriorityP194critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-02
Exploited in the wild
EPSS
89.08%
99.8th percentile
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
3dsdelmia_apriso2020 – 2025
dassault_syst_mesdelmia_aprisoRelease 2020 Golden – Release 2020 SP4
dassault_syst_mesdelmia_aprisoRelease 2021 Golden – Release 2021 SP3
dassault_syst_mesdelmia_aprisoRelease 2022 Golden – Release 2022 SP3
dassault_syst_mesdelmia_aprisoRelease 2023 Golden – Release 2023 SP3
dassault_syst_mesdelmia_aprisoRelease 2024 Golden – Release 2024 SP1
dassault_syst_mesdelmia_aprisoRelease 2025 Golden – Release 2025 SP1

Detection & IOCsextracted from sources · hover to see the quote

ip156.244.33[.]162
url/apriso/WebServices/FlexNetOperationsService.svc/Invoke
otherhttp://tempuri.org/IFlexNetOperationsService/Invoke
othershodan-query: html:"apriso"
otherbody="/Apriso/Portal"
bytes
H4sIAAAAAAAEAO1WzW8bVRD/reO0jtNYSQulEVXZ1ClK+Vg5jYNKhUgaO61D86U4dStUKVmvX5Ot1rur3efEyQEqIapy41AhcUAcuPRQQQ+VqCohITj1EIkDXDj1D0DiwAUQIsx7u/6IY9RcUCWUcXbezLyZN795n5l592N0AIjSt70NPERA43g63aQv8dKjBB50bQ08VKa3BhZXTV91PWfF08uqodu2w9UiU72KrZq2mp3Lq2WnxLSenvhgOMb8JDCtdOD70bHV2rhPEBnoVrqBAwg+ohMiQK0D65VyJMANNFoJKhKIHRj/ULiKv0ZbbyT9kAQuhQXfjbQpchk4tIe52EWEL9akxkjPNekaZ1VO7WA08JV1tuQn87Lm+Z6BEBthlIXGdvqReVzzmOUYIdblcKxDu/wmduEMFyInQzpRpaRXaUMoeyixHX0SGaLo+BDBjDudglFhcY+Gcz2aatc5SOorBCT/zoQSZhEw19JaShtJjQy/KSydsIgfp+7ke8BtageFnOeeaa/4wuNeJJiO5OU8fokEa5q8eHkqS+1fpF8T+oTlFENcZFIuPgd0CeXPUyM4GtRYm3YhH2ySO2RUPER4AKdxkngBbxBfIx7HXXxG/FviCfyBn6WfEnLx68ULshIhz6vCfutYSo7YhxTF9ENoXZIP4AGOE9+i7zR6lJcxjH7lVWjoJknDEZxD9GbrXN9B076Xeftl22w7QvhabQrVUqe3ZpxSxWJv4/q6yaubqWGtZFmYRNk3HM8yi8hv+JyVMVe8wQwOzeCOF9q0hYrNzTLTMk7ZNS3m5Zm3ZhrMR2DQuenYC8zSq1Lyz3Nav2KFM4SBwo26iqZl8o1Gbw1JLc0VVkSOczfj2PLUrDC+lKl4HrO5tC8w36XhmeyoK2FwxrEsAi7ya3mXGaZumZushFm9zAq6VWENBxmfY3qJeT58kqdE4UQD8/Dg4AYYDHBkYcInyaGdwKhnA3jRkPLrOEPreQajJI2SdJZ2ioJPv/rxg+SdL3O3fvvi5KPH332O2Neb1wr96ScfdahQoqqixGL3x5be7/spfo7W6XBfVMXh5wXr71QjSiIRU8Ijf0JspsXI0Sue7s469mTVYK5AvrjqOeu+2H2/JxtLm6jdme2odgFjKeN4Wcua0U07WHTG5BYQtH2K4nv/ZYR9+t+RIhf7WPCK7rCLvZVqYxck3o6r4/SON71f05E08QLyWCI+iQWSpjCHWdKniF8gWdA30V//bvfajIWtuLdan+WszFyATmfvAp1Fi07eFGxcpxMpaFBGLVKvTlaf+nU6tSb12uEI96P3FDFGnuwe9dDRbzPSbemTqv/SKIo5wGuESKn7Z+kTt4EYx92RR5VzFmvyLcj7wm/ySdHt3vjoOkYP+QsMXPrahN2i+dJRJh2EbJ2iOarYJH/xNpSoPzitQxLXNPmtyKgMZXHpdhLIVrAKHmLKyhxzod0Mc9Qw2nvKlZZ1BfdiCRV5L7ZW11rbWRlznjx88izTbFqETn1q3D79h6QG/3+p6WcNZJ+eBf0DwmVsFgAOAAA=
  • Exploit delivers a malicious SOAP request to the FlexNetOperationsService endpoint with a Base64-encoded, GZIP-compressed .NET executable embedded in the XML body
  • Nuclei template matches on HTTP 500 response with content-type text/xml after sending the exploit SOAP request — use this triplet as a detection condition
  • Hunt for Apriso-exposed assets using Shodan query html:"apriso" or FOFA query body="/Apriso/Portal" to identify attack surface
  • Monitor HTTP POST requests to /apriso/WebServices/FlexNetOperationsService.svc/Invoke with SOAPAction header set to the IFlexNetOperationsService/Invoke action
  • ·The source IP 156.244.33[.]162 is described as likely associated with automated scans, not necessarily a persistent threat actor infrastructure

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.