The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Dassault Systèmes DELMIA Apriso to its Known Exploited Vulnerabilities (KEV) Catalog, following confirmed evidence of active exploitation in the wild.
Tracked as CVE-2025-5086, this flaw carries a CVSS score of 9.0 and stems from a deserialization of untrusted data vulnerability. According to Dassault’s advisory, “a deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.”
Deserialization flaws occur when untrusted or attacker-controlled data is deserialized by an application without proper validation, allowing malicious objects to trigger arbitrary code execution.
Dr. Johannes B. Ullrich, Dean of Research at SANS.edu, confirmed that his team has already observed exploitation attempts. “Either way, we are seeing exploits for DELMIA Apriso related issues. The exploit we are seeing is a deserialization problem,” Ullrich explained.
The attacks have been traced to IP address 156.244.33.162, though its true location remains ambiguous. “The scans originate from 156.244.33.162 (side quest: Is this IP located in Mexico, Argentina, or the Seychelles?),” Ullrich noted.
The exploit is delivered via SOAP-based POST requests targeting the vulnerable endpoint:
/apriso/WebServices/FlexNetOperationsService.svc/InvokeThe payload embeds malicious objects in XML, leveraging .NET deserialization. Analysts found that the exploit carried two identical Base64-encoded strings which, once decoded and decompressed, revealed a GZIP-compressed Windows executable.
CISA warns that vulnerabilities of this type are frequent attack vectors and pose significant risks to enterprise and federal networks. With confirmed exploitation in the wild, unpatched DELMIA Apriso servers are highly exposed to remote code execution (RCE), potentially leading to complete system compromise.
Dassault has released patches for all affected versions (Release 2020–2025). Organizations are urged to apply these updates immediately.
For U.S. federal agencies, CISA has set a hard deadline. Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified flaw by October 2, 2025, to secure their networks.
