CISA Warns of Active Dassault RCE Exploit—Patch Now
▼ Summary
– CISA warns of hackers exploiting a critical remote code execution flaw (CVE-2025-5086) in Dassault Systèmes’ DELMIA Apriso software.
– The vulnerability affects all versions from Release 2020 through 2025 and allows remote code execution via deserialization of untrusted data.
– Active exploitation attempts have been observed using malicious SOAP requests to deliver encoded .NET executables to vulnerable endpoints.
– CISA requires federal agencies to apply patches or mitigations by October 2, though the guidance also urges private organizations worldwide to take action.
– DELMIA Apriso is widely used in manufacturing sectors like automotive and aerospace for production monitoring, quality control, and resource management.
A critical security alert has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) regarding active exploitation of a remote code execution vulnerability in Dassault Systèmes’ DELMIA Apriso software. This widely used manufacturing operations platform is now at risk due to a flaw that could allow attackers to execute arbitrary code on affected systems.
The vulnerability, identified as CVE-2025-5086, carries a CVSS severity score of 9.0, placing it in the critical category. CISA has officially listed it in its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to take defensive action.
DELMIA Apriso serves as a central hub for manufacturing execution and operations management, helping businesses streamline production scheduling, quality assurance, resource allocation, and warehouse operations. Its integration capabilities make it a cornerstone in sectors like automotive, aerospace, and industrial manufacturing, where precision and compliance are non-negotiable.
This security weakness stems from unsafe deserialization of untrusted data, a type of flaw that can permit unauthorized remote code execution. Dassault Systèmes acknowledged the issue earlier this summer, confirming that every version from Release 2020 through 2025 is susceptible, though specific technical details were withheld at the time.
Evidence of active attacks emerged in early September when researcher Johannes Ullrich documented exploitation attempts involving malicious SOAP requests directed at vulnerable endpoints. These requests contained hidden .NET executables, compressed and encoded within XML, designed to deploy harmful payloads on targeted systems.
One observed malicious IP address, 156.244.33[.]162, has been tied to these activities, suggesting automated scanning or exploitation campaigns. While CISA has not publicly linked its advisory to Ullrich’s findings, the timing and nature of the alert imply confirmed attacks are underway.
Federal agencies have been directed to apply patches or implement mitigations by October 2, or discontinue use of the software entirely. Although this directive applies specifically to U.S. government bodies, private sector organizations worldwide are strongly encouraged to heed the warning and secure their systems without delay.
(Source: Bleeping Computer)
