CVE-2025-5086 (CVSS 9.0): A Critical RCE in DELMIA Apriso with Exploit Attempts Seen in the Wild
Do Son 
Manufacturing operations are increasingly threatened not just by IoT weaknesses, but also by vulnerabilities in the complex software platforms that tie production floors to enterprise systems. One such platform, DELMIA Apriso by Dassault Systèmes, is now the focus of active exploitation attempts following the disclosure of a critical flaw.
In June 2025, Dassault Systèmes published an advisory for CVE-2025-5086 (CVSS 9.0). According to the advisory, “a deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.”
This puts at risk the Manufacturing Operation Management (MOM) and Manufacturing Execution System (MES) software that acts as the backbone of many industrial environments.
Dr. Johannes B. Ullrich, Dean of Research at SANS.edu, reported that his team has already observed real-world exploit attempts against Apriso servers. “Either way, we are seeing exploits for DELMIA Apriso related issues. The exploit we are seeing is a deserialization problem,” Ullrich explained.
The attacks are being launched from the IP address 156.244.33.162, though its true location remains unclear. As Ullrich noted, “the scans originate from 156.244.33.162 (side quest: Is this IP located in Mexico, Argentina, or the Seychelles?).”
The observed exploit uses SOAP-based POST requests targeting the vulnerable web service endpoint:
The payload leverages .NET deserialization, embedding malicious objects in XML. A section of the request contained a Base64-encoded string, which after decoding and decompression turned out to be a Windows executable.
Ullrich highlighted the malicious payload: “The two identical Base64 encoded strings decode to a GZIP-compressed Windows executable.”
While VirusTotal initially reported no detection, Hybrid Analysis classified the binary as malicious.
Interestingly, the payload included the text “Project Discovery CVE-2025-5086”, suggesting that the scans may be linked to automated vulnerability scanning frameworks rather than targeted attacks.
Organizations running DELMIA Apriso should act immediately:
- Apply Dassault’s patch for CVE-2025-5086 across all supported versions (Release 2020–2025).
- Monitor logs for suspicious requests to /FlexNetOperationsService.svc/Invoke.
- Inspect for malicious payloads in SOAP envelopes, particularly those containing large Base64-encoded data.
- Segment MOM/MES systems from internet exposure and enforce strong network access controls.
- Hunt for indicators of compromise linked to 156.244.33.162 or executables delivered via GZIP-compressed payloads.
Related Posts:
- CVSS 10.0: Critical Flaw Threatens DELMIA Apriso Manufacturing Systems
- Hacker use Oracle Application Server bug to mine cryptocurrencies
- Hackers are exploiting RCE Vulnerability (CVE-2023-35042) in GeoServer
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
