Ethical Hacking News
New Vulnerability Alert: Critical CVE-2025-5086 in DELMIA Apriso Manufacturing Operations Management Software Exploited by Cybercriminals, CISA Issues Urgent Warning
Cybersecurity experts have identified a critical security flaw in Dassault Systèmes DELMIA Apriso software with a CVSS score of 9.0. The vulnerability, CVE-2025-5086, allows for remote code execution and is being actively exploited in the wild. The issue affects multiple versions of the software, including those from Release 2020 through Release 2025. Researchers have seen active exploitation attempts targeting the vulnerability, with attacks originating from an IP address in Mexico. The malicious software is identified as "Trojan.MSIL.Zapchast.gen," which spies on users and steals sensitive information. CISA has added the vulnerability to its KEV catalog and advises Federal Civilian Executive Branch agencies to apply necessary updates by October 2, 2025.
Cybersecurity experts have been sounding the alarm bells for days, as a critical security flaw has been discovered in the manufacturing operations management software of Dassault Systèmes DELMIA Apriso. The vulnerability, tracked as CVE-2025-5086, carries an extremely high CVSS score of 9.0 out of 10.0, indicating that it is one of the most severe security weaknesses ever identified.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has taken swift action by adding this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, a list that tracks known vulnerabilities being actively exploited in the wild. This move serves as a clear warning to organizations that rely on DELMIA Apriso software for their manufacturing operations management needs.
According to CISA, the issue at hand is a deserialization of untrusted data vulnerability that could potentially lead to remote code execution. In simpler terms, this means that an attacker can manipulate the data used by the software in such a way that it executes malicious code on the system, allowing the attacker to take control and carry out their nefarious plans.
Dassault Systèmes DELMIA Apriso contains a critical deserialization of untrusted data vulnerability that can lead to remote code execution.
The vulnerability is present across multiple versions of the software, including those from Release 2020 through Release 2025. This wide range indicates that nearly two decades of software updates and maintenance have not been enough to fix this glaring security issue.
Researchers at SANS Internet Storm Center reported seeing active exploitation attempts targeting CVE-2025-5086, with attacks originating from an IP address located in Mexico (156.244.33[.]162). These attacks involve sending HTTP requests to the "/apriso/WebServices/FlexNetOperationsService.svc/Invoke" endpoint with a Base64-encoded payload that decodes into a GZIP-compressed Windows executable ("fwitxz01.dll").
Johannes B. Ullrich, the dean of research at SANS Technology Institute, explained how this malicious software works: "The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request)." This is essentially describing how phishing attacks are carried out using malware.
Further details on the nature of this malware have been revealed by Kaspersky. They have identified it as "Trojan.MSIL.Zapchast.gen," which is a type of software designed to spy on users and steal their sensitive information, including keyboard input, screenshots, and running applications. The collected data is then sent back to the attacker's server through multiple channels.
The existence of this malware suggests that variants of Zapchast have been circulating for over a decade, primarily distributed via phishing emails with malicious attachments. It remains unclear whether "Trojan.MSIL.Zapchast.gen" represents an updated version of the same software or a new iteration altogether.
Given the severity of this vulnerability and its wide applicability to various sectors, organizations that rely on DELMIA Apriso should take immediate action. CISA has advised Federal Civilian Executive Branch (FCEB) agencies to apply necessary updates by October 2, 2025, in order to secure their networks against potential attacks.
In conclusion, the discovery of this critical security flaw highlights the need for continuous vigilance and proactive measures when it comes to software vulnerabilities. As technology continues to evolve at an unprecedented rate, so too must our approach to cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Security-Flaw-Exposed-in-Dassault-Systmes-DELMIA-Apriso-The-Looming-Threat-to-Industrial-Control-Systems-and-Beyond-ehn.shtml
https://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.html
Published: Fri Sep 12 08:37:47 2025 by llama3.2 3B Q4_K_M
