Attackers have been spotted targeting a critical remote code execution (RCE) vulnerability in a key manufacturing management platform used by some of the world’s largest companies.
First made public on the maker’s site in June, the vulnerability is CVE-2025-5086 in Delmia Apriso, a Manufacturing Operations Management (MOM) platform from Dassault Systèmes best described as a giant piece of middleware that sits between and coordinates many manufacturing functions across production, machine maintenance, quality control, and inventory. It affects all versions from Release 2020 through Release 2025.
Despite the risk the vulnerability poses to a fundamental manufacturing system, Dassault Systèmes has offered only the barest details about the flaw or how it might be mitigated, even on its customer support portal.
Instead, the little public information that has emerged is from third party sources, most prominently last week when CISA added it to its Known Exploited Vulnerabilities (KEV) Catalog. This describes the flaw simply as “a deserialization of untrusted data vulnerability that could lead to a remote code execution,” with a CVSS score of 9.0, or ‘critical.’
Some days earlier, Johannes Ullrich of the SANS Internet Storm Center (ISC) published a separate alert on CVE-2025-5086 offering more context. It’s possible, though unconfirmed, that this advisory was the source for CISA’s warning.
“When I am thinking about the security of manufacturing environments, I am usually focusing on IoT devices integrated into production lines. All the little sensors and actuators are often very difficult to secure,” wrote Ullrich. “On the other hand, there is also ‘big software’ that is used to manage manufacturing.” Although it’s less frequently an issue, he noted, “complex systems like this have bugs, too.”
When he uploaded the exploit to VirusTotal, the infection was detected by only one anti-malware engine, Kaspersky, Ullrich found. This identified it as ‘MSIL.Zapchast.gen,’ a vague label applied to many Trojans that look a bit like the original Zapchast malware from 2006.
What it doesn’t do is offer any clues as to who is behind the attacks targeting Delmia Apriso, although the obvious worry will be exploits wielded by ransomware actors.
“The scans originate from 156.244.33.162,” with the string “Project Discovery CVE-2025-5086” within the executable. This suggested the attack had happened after reconnaissance by a vulnerability scanner, Ullrich speculated.
If so, a pessimistic interpretation of this is that the attackers knew what they were looking for and might therefore not be the first to attempt such a scan.
Rough patch
The Dassault Systèmes website currently showcases 556 companies using the platform in their operations, which is likely only a sample of the full customer base. The company acquired the software under its Delmia brand when it bought US software company Apriso in 2013.
For any manufacturer using it, many of whom will be large, global enterprises, it will be a fundamental platform without which they’d struggle to operate. This dependence explains why taking down the numerous manufacturing processes managed by Delmia Apriso as part of a patching process is unlikely to be simple.
CSOonline approached Dassault Systèmes for more detail on how customers should mitigate or manage the issue, but received no comment by press time.
However, the administration documentation indicates that the software has followed an annual release schedule each year since 2020, which means that updates will be for any one of six versions. Security fixes seem to occur as part of service packs, for which the customer must initiate downloads.
No Responses