A critical security vulnerability has been identified and actively exploited in DELMIA Apriso, a manufacturing operations management (MOM) and manufacturing execution system (MES) software developed by Dassault Systèmes. This software is integral to managing manufacturing processes across various industries, including aerospace, defense, automotive, high-tech, and industrial equipment sectors in North America, Europe, and Asia.
Vulnerability Details
The vulnerability, designated as CVE-2025-5086 with a CVSS score of 9.0, pertains to the deserialization of untrusted data. This flaw affects DELMIA Apriso versions from 2020 through 2025. Deserialization vulnerabilities occur when untrusted data is used to abuse the logic of an application, leading to remote code execution (RCE). In this context, an attacker could exploit the vulnerability to execute arbitrary code on the affected system, potentially gaining full control over the manufacturing operations managed by the software.
Discovery and Public Disclosure
The vulnerability was publicly disclosed in June 2025. Dassault Systèmes released an advisory acknowledging the issue but provided limited technical details, confirming only that the flaw could be exploited for remote code execution. The lack of detailed information has raised concerns within the cybersecurity community, as it leaves organizations uncertain about the specific nature of the threat and the necessary steps to mitigate it.
Active Exploitation and CISA’s Response
On September 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-5086 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion indicates that the vulnerability has been observed in active exploitation attempts. CISA has mandated that federal agencies patch the vulnerability by October 2, 2025, as per Binding Operational Directive (BOD) 22-01. While CISA has not disclosed specific details about the attacks or identified whether they are associated with ransomware campaigns, the urgency of the directive underscores the severity of the threat.
Observations from the Cybersecurity Community
Prior to CISA’s announcement, on September 3, 2025, Johannes Ullrich of the SANS Internet Storm Center reported observing exploitation attempts targeting this vulnerability. Ullrich noted that the exploits involved deserialization issues and identified scanning activity originating from the IP address 156.244.33.162. This early detection highlights the proactive monitoring efforts within the cybersecurity community and the importance of sharing threat intelligence to mitigate emerging risks.
Implications for Industrial Sectors
The exploitation of CVE-2025-5086 poses significant risks to industrial sectors relying on DELMIA Apriso for manufacturing operations management. Successful exploitation could lead to unauthorized access, data manipulation, production disruptions, and potential safety hazards. Given the critical role of manufacturing in the global supply chain, such vulnerabilities can have far-reaching consequences, affecting not only the targeted organizations but also their partners and customers.
Recommended Mitigation Measures
Organizations utilizing DELMIA Apriso should take immediate action to mitigate the risks associated with CVE-2025-5086. Recommended steps include:
1. Apply Patches Promptly: Ensure that all instances of DELMIA Apriso are updated to the latest version that addresses the vulnerability. Regularly check for updates and apply them as soon as they become available.
2. Conduct Security Assessments: Perform thorough security assessments to identify any signs of compromise or unauthorized access. This includes reviewing system logs, monitoring network traffic, and conducting vulnerability scans.
3. Implement Network Segmentation: Isolate critical systems from external networks and limit access to essential personnel. Network segmentation can reduce the attack surface and prevent lateral movement within the network.
4. Enhance Monitoring and Detection: Deploy advanced monitoring tools to detect unusual activity or potential exploitation attempts. Establishing a robust incident response plan can facilitate swift action in the event of a security breach.
5. Educate and Train Staff: Provide cybersecurity training to employees, emphasizing the importance of recognizing phishing attempts and following best practices for system security.
Broader Context of Industrial Software Vulnerabilities
The exploitation of vulnerabilities in industrial software is not an isolated incident. Similar issues have been observed in other industrial control systems (ICS) and manufacturing software. For instance, vulnerabilities in Mitsubishi Electric’s factory automation products have exposed engineering workstations to potential attacks. These incidents underscore the critical need for robust cybersecurity measures within the industrial sector.
Conclusion
The active exploitation of CVE-2025-5086 in DELMIA Apriso highlights the persistent threats facing industrial control systems and manufacturing software. Organizations must remain vigilant, promptly apply security patches, and implement comprehensive cybersecurity strategies to protect their operations from potential attacks. Collaboration between software vendors, cybersecurity agencies, and industrial organizations is essential to address vulnerabilities and enhance the overall security posture of the manufacturing sector.
