Active Exploitation of Critical CVE-2025-5086 in DELMIA Apriso Threatens Manufacturing Operations
Executive Summary
In September 2025, a critical vulnerability (CVE-2025-5086, CVSS 9.0) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management software was found to be actively exploited in the wild. Threat actors leveraged this flaw to gain unauthorized access, bypassing authentication and executing arbitrary code on exposed systems. The breach impacted several manufacturing sector organizations globally, leading to disruptions in operational technology, potential data compromise, and urgent incident response actions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog and issuing public guidance for immediate patching and mitigation.
This incident is significant as adversaries continue to target vulnerable OT/IoT platforms central to manufacturing operations. The increased frequency of high-severity vulnerabilities in critical infrastructure software, combined with rapid weaponization by threat actors, is driving regulatory scrutiny and highlighting the urgent need for robust vulnerability management and zero trust controls across industrial environments.
Why This Matters Now
This vulnerability is being exploited in the wild, putting manufacturing environments at immediate risk. The active nature of these attacks underscores the urgency for manufacturers and related industries to rapidly patch DELMIA Apriso systems and strengthen segmentation and monitoring controls to prevent further compromise of operational technology.
Attack Path Analysis
Attackers exploited CVE-2025-5086 in DELMIA Apriso to gain initial access to the targeted cloud or hybrid environment. Following the breach, they likely escalated privileges by abusing application or cloud permissions. Once elevated, they moved laterally across internal services and workloads, seeking additional targets. The adversaries established command and control channels—potentially using outbound or covert channels to communicate with external infrastructure. Sensitive data was then exfiltrated through unauthorized outbound channels. Ultimately, the attackers impacted operations and data integrity, potentially disrupting manufacturing processes or deploying malware.
Kill Chain Progression
Initial Compromise
Description
Exploitation of CVE-2025-5086 in DELMIA Apriso allowed attackers to gain entry via a vulnerable public-facing application or API.
Related CVEs
CVE-2025-5086
CVSS 9A deserialization of untrusted data vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could lead to remote code execution.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020, Release 2021, Release 2022, Release 2023, Release 2024, Release 2025
Exploit Status:
exploited in the wildCVE-2025-6205
CVSS 8.5A missing authorization vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020, Release 2021, Release 2022, Release 2023, Release 2024, Release 2025
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Exploitation for Privilege Escalation
Valid Accounts
Impair Defenses
Network Service Scanning
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9(2)
CISA ZTMM 2.0 – Ensure Timely Patching
Control ID: Application and Workload: Patch Management
NIS2 Directive – Handling and Reporting of Security Risks
Control ID: Article 21(2)f
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Critical CVE-2025-5086 in DELMIA Apriso MOM software directly threatens automotive manufacturing operations, enabling lateral movement and compromising production control systems requiring immediate segmentation.
Aviation/Aerospace
Manufacturing Operations Management vulnerabilities expose aerospace production to critical exploits, demanding zero trust segmentation and enhanced east-west traffic security for mission-critical manufacturing processes.
Industrial Automation
Active exploitation of Dassault Systèmes DELMIA Apriso creates severe risks for industrial control systems, necessitating threat detection, anomaly response, and secure hybrid connectivity implementations.
Pharmaceuticals
Critical manufacturing software vulnerabilities threaten pharmaceutical production integrity and HIPAA compliance, requiring immediate egress security controls and multicloud visibility for regulatory protection.
Sources
- Critical CVE-2025-5086 in DELMIA Apriso Actively Exploited, CISA Issues Warninghttps://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.htmlVerified
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- NVD - CVE-2025-5086https://nvd.nist.gov/vuln/detail/CVE-2025-5086Verified
- Dassault Systèmes Security Advisorieshttps://www.3ds.com/vulnerability/advisoriesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF-aligned controls like Zero Trust Segmentation, East-West Traffic Security, inline IPS, and strict egress enforcement would have significantly constrained or detected this attack at multiple points, reducing blast radius, stopping lateral movement, and blocking data exfiltration. Centralized visibility and anomaly detection further enables rapid response and containment.
Control: Inline IPS (Suricata)
Mitigation: Prevented exploit payloads targeting known vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Blocked lateral access to high-privilege assets.
Control: East-West Traffic Security
Mitigation: Detected and prevented unauthorized inter-workload movement.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized external communications.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Detected and blocked suspicious outbound data transfer.
Rapid detection and alerting on disruptive behavior.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations Management
- Supply Chain Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive manufacturing data, including proprietary production processes and client information.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize patching of public-facing applications like DELMIA Apriso and incorporate inline IPS controls for real-time exploit prevention.
- • Enforce Zero Trust Segmentation to restrict workload and identity access paths, minimizing lateral movement potential.
- • Deploy granular east-west traffic policies and monitoring to detect and block unauthorized internal connections.
- • Strengthen egress filtering and encrypted traffic controls to stop exfiltration and external C2.
- • Implement automated anomaly detection to accelerate incident response and minimize operational disruption.
