The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability, identified as CVE-2025-5086, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw affects Dassault Systèmes’ DELMIA Apriso Manufacturing Operations Management (MOM) software, specifically versions from Release 2020 through Release 2025. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0 out of 10, indicating its severity.
Understanding the Vulnerability
CVE-2025-5086 is categorized as a deserialization of untrusted data vulnerability. Deserialization refers to the process of converting data from a stored format back into its original structure. When this process handles untrusted data without proper validation, it can be exploited by attackers to execute arbitrary code remotely. In the context of DELMIA Apriso, this flaw allows malicious actors to send specially crafted serialized data to the application, leading to unauthorized code execution on the affected system.
Details of the Exploitation
The SANS Internet Storm Center has observed exploitation attempts targeting this vulnerability originating from the IP address 156.244.33[.]162, which is geolocated to Mexico. The attack method involves sending an HTTP request to the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint. This request contains a Base64-encoded payload that, when decoded, reveals a GZIP-compressed Windows executable named fwitxz01.dll. Security firm Kaspersky has identified this DLL as Trojan.MSIL.Zapchast.gen, a malicious program designed to spy on user activities, including capturing keyboard inputs, taking screenshots, and gathering information about active applications. The collected data is then transmitted to cybercriminals through various channels such as email, FTP, and HTTP requests.
Implications for Affected Organizations
The exploitation of CVE-2025-5086 poses significant risks to organizations using vulnerable versions of DELMIA Apriso. Potential consequences include:
– Remote Code Execution: Attackers can gain control over the affected system, leading to unauthorized access to sensitive data, installation of additional malware, or further infiltration into the organization’s network.
– Operational Disruption: Unauthorized control over the software can disrupt manufacturing operations, halt production processes, compromise data integrity, and affect supply chain management, ultimately impacting business continuity.
– Data Breach Risks: Attackers may extract sensitive information, including proprietary data and customer information, resulting in data breaches, regulatory penalties, and damage to the organization’s reputation.
Recommended Actions
In response to the active exploitation of this vulnerability, CISA advises Federal Civilian Executive Branch (FCEB) agencies and other organizations to take the following actions:
1. Apply Security Updates: Dassault Systèmes has released patches addressing this vulnerability. Organizations should upgrade to the latest version of DELMIA Apriso where this issue has been resolved.
2. Implement Network Controls: Restrict network access to the application by implementing network segmentation and using intrusion detection systems to monitor for potential exploitation attempts.
3. Validate and Sanitize Data Inputs: Ensure that all serialized data inputs are properly validated and sanitized to prevent deserialization of untrusted data.
4. Monitor for Indicators of Compromise: Regularly monitor systems for signs of exploitation, such as unexpected network traffic or the presence of unauthorized files.
Federal agencies are required to apply the necessary updates by October 2, 2025, to secure their networks.
Conclusion
The active exploitation of CVE-2025-5086 underscores the critical importance of promptly addressing software vulnerabilities. Organizations using DELMIA Apriso should take immediate action to apply the recommended patches and implement security measures to protect their systems from potential attacks. Staying vigilant and proactive in cybersecurity practices is essential to safeguard sensitive information and maintain operational integrity.
