DELMIA Factory Software Under Active Attack: Critical Vulnerability Exploited

▼ Summary
– CISA warns that threat actors are exploiting a critical vulnerability (CVE-2025-5086) in DELMIA Apriso factory software.
– The vulnerability is a deserialization flaw with a CVSS score of 9.0, affecting releases from 2020 through 2025 and enabling remote code execution.
– CISA added the flaw to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by October 2, though details on attacks are not provided.
– Johannes Ullrich of SANS observed exploitation attempts originating from a specific IP address, involving encoded strings that decode to a malicious Windows executable.
– Organizations are advised to address the vulnerability promptly due to DELMIA Apriso’s central role in connecting factory equipment with ERP systems.
A critical vulnerability within the DELMIA Apriso factory software is now under active exploitation, according to an urgent alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA). This flaw poses a significant risk to manufacturing operations worldwide, particularly within sectors such as aerospace, automotive, and industrial equipment.
Developed by Dassault Systèmes, DELMIA Apriso serves as a comprehensive manufacturing operations management platform, widely adopted across North America, Europe, and Asia. The software plays a central role in coordinating production processes, making it a high-value target for threat actors.
The vulnerability, identified as CVE-2025-5086, carries a CVSS score of 9.0 and stems from the deserialization of untrusted data. It affects all DELMIA Apriso releases from 2020 through 2025. Although the flaw was publicly disclosed in June, technical specifics were withheld beyond the confirmation that it could allow remote code execution.
CISA has now added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies have been directed to apply patches by October 2 in compliance with Binding Operational Directive 22-01. While the agency has not released details regarding the nature of the attacks, the inclusion in the KEV list underscores the seriousness of the threat.
Earlier this month, Johannes Ullrich of the SANS Internet Storm Center reported scanning activity originating from IP address 156.244.33.162 targeting the vulnerability. Analysis of these requests revealed encoded strings that decoded into a compressed Windows executable. Although the payload did not trigger detections on VirusTotal, it was flagged as malicious by Hybrid Analysis, suggesting the activity may be linked to a vulnerability scanner.
Given the critical function of DELMIA Apriso in integrating factory equipment with enterprise resource planning systems, organizations are strongly urged to apply available patches immediately. Delaying remediation could expose industrial control systems to significant operational and security risks.
The ongoing exploitation of this vulnerability highlights the persistent threats facing industrial environments and the continuous need for proactive cybersecurity measures.
(Source: Security Week)