Exploits for Dassault DELMIA Apriso RCE (CVE-2025-5086) Target Manufacturing Operations
Executive Summary
In June 2025, Dassault Systèmes disclosed a critical deserialization vulnerability (CVE-2025-5086) in its DELMIA Apriso Manufacturing Operation Management system, affecting releases from 2020 through 2025. Attackers exploited this remote code execution flaw via crafted SOAP requests containing malicious serialized data, enabling them to upload and execute arbitrary Windows executables on vulnerable servers. The exploit activity, orchestrated through automated scanners—some associated with the Project Discovery framework—originated from multiple geographies and targeted the core manufacturing process integration point, posing risks to operational uptime and potential lateral movement within enterprise environments.
This incident underscores the growing threat targeting industrial control applications and critical infrastructure through software supply chain vulnerabilities. Exploiting deserialization bugs in widely deployed operational technology platforms has become a preferred method for threat actors, highlighting the urgent need for timely patching, application-layer anomaly detection, and zero trust segmentation within manufacturing and industrial settings.
Why This Matters Now
Attackers are increasingly focusing on software vulnerabilities in industrial operations platforms, leveraging remote code execution to move laterally and disrupt core manufacturing services. As exploit attempts for CVE-2025-5086 have begun surfacing in the wild—and with many environments slow to patch—manufacturers face heightened risk of business disruption, data exfiltration, and potential regulatory impact if these vulnerabilities remain unmitigated.
Attack Path Analysis
The attack began when the adversary exploited a deserialization vulnerability (CVE-2025-5086) in Dassault DELMIA Apriso, sending a crafted SOAP request with a malicious embedded payload. Following remote code execution, attackers may have sought to escalate privileges within the execution environment to gain broader access. Once a foothold was established, lateral movement within the internal network or cloud workloads could occur to identify valuable assets. The attacker likely established command & control via outbound connections from the compromised system, possibly leveraging encrypted or covert channels. Sensitive data or intellectual property may have been exfiltrated through allowed egress pathways. Ultimately, the attacker could achieve disruptive impact, such as deploying additional malware or interfering with operational processes.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited the DELMIA Apriso deserialization flaw by sending a specially-crafted SOAP request with a base64-encoded, compressed Windows executable, resulting in remote code execution.
Related CVEs
CVE-2025-5086
CVSS 9A deserialization of untrusted data vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could lead to remote code execution.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wildCVE-2025-6204
CVSS 9An Improper Control of Generation of Code (Code Injection) vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wildCVE-2025-6205
CVSS 9.8A missing authorization vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Process Injection
Application Layer Protocol: Web Protocols
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protection from Known Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT-related Incident Management
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Proactive Vulnerability and Patch Management
Control ID: Applications: Vulnerability Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
CVE-2025-5086 targeting DELMIA Apriso MES systems enables remote code execution, compromising manufacturing operations and requiring zero trust segmentation for protection.
Industrial Automation
Manufacturing Execution Systems face deserialization vulnerabilities allowing attackers remote control over production lines, demanding enhanced threat detection and east-west traffic security.
Aerospace/Aviation
Aviation manufacturing using Dassault systems vulnerable to remote exploitation through SOAP web services, necessitating inline IPS and encrypted traffic monitoring capabilities.
Defense/Space
Defense manufacturers leveraging MOM/MES platforms exposed to sophisticated attacks requiring multicloud visibility, anomaly detection, and compliance with NIST security frameworks.
Sources
- Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086, (Wed, Sep 3rd)https://isc.sans.edu/diary/rss/32256Verified
- CVE-2025-5086 | Dassault Systèmeshttps://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086Verified
- CVE-2025-6204 | Dassault Systèmeshttps://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204Verified
- CVE-2025-6205 | Dassault Systèmeshttps://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205Verified
- NVD - CVE-2025-5086https://nvd.nist.gov/vuln/detail/CVE-2025-5086Verified
- NVD - CVE-2025-6204https://nvd.nist.gov/vuln/detail/CVE-2025-6204Verified
- NVD - CVE-2025-6205https://nvd.nist.gov/vuln/detail/CVE-2025-6205Verified
- Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086https://isc.sans.edu/diary/Exploit+Attempts+for+Dassault+DELMIA+Apriso+CVE20255086/32256Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust east-west controls, inline IPS, centralized visibility, and egress policy enforcement could have greatly limited the adversary's ability to move laterally, execute code, establish command & control, and exfiltrate data at multiple kill chain stages. Enforcement of these CNSF controls would segment workloads, restrict exploit paths, and enable rapid detection and containment of malicious actions.
Control: Inline IPS (Suricata)
Mitigation: Attack blocked at network perimeter or micro-perimeter based on exploit signatures or malformed traffic.
Control: Zero Trust Segmentation
Mitigation: Containment of threat by limiting compromised workload’s access to other systems and privileges.
Control: East-West Traffic Security
Mitigation: Malicious lateral movement attempts are prevented or promptly detected.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound connections denied or flagged for investigation.
Control: Multicloud Visibility & Control
Mitigation: Detection and prevention of unauthorized data exfiltration events.
Rapid detection and containment of destructive or unusual behaviors.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Supply Chain Management
- Production Planning
Estimated downtime: 5 days
Estimated loss: $1,500,000
Potential exposure of sensitive manufacturing data, including proprietary production processes and supply chain information.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS and cloud firewall controls at workload ingress points to detect and block exploit attempts such as SOAP deserialization attacks.
- • Enforce zero trust segmentation and least privilege across application and network layers to prevent lateral movement and privilege escalation from compromised systems.
- • Establish egress filtering and outbound policy enforcement to block unauthorized command & control and exfiltration channels.
- • Enable robust monitoring, traffic observability, and threat anomaly detection to catch policy violations and malicious activities early.
- • Regularly validate and update vulnerable applications, while integrating CNSF controls into DevOps and cloud migration practices for proactive protection.
