DELMIA Factory Software Vulnerability Exploited in Attacks

Threat actors are exploiting a critical-severity vulnerability in DELMIA Apriso factory software, the US cybersecurity agency CISA warns.

Developed by French company Dassault Systèmes, DELMIA Apriso is a manufacturing operations management (MOM) and manufacturing execution system (MES) software designed for managing every detail of the manufacturing process. The software is used in North America, Europe, and Asia, including in the aerospace and defense, automotive, high-tech, and industrial equipment industries. 

Tracked as CVE-2025-5086 (CVSS score of 9.0), the security defect is described as a deserialization of untrusted data issue and impacts DELMIA Apriso releases 2020 through 2025.

The bug was publicly disclosed in June, but the vendor’s advisory did not share technical information on it, other than that it could be exploited for remote code execution (RCE).

On Thursday, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, warning that it has been exploited in the wild and urging federal agencies to patch it by October 2, as mandated by the Binding Operational Directive (BOD) 22-01.

The cybersecurity agency has not provided details on the observed attacks either and did not specify whether CVE-2025-5086 has been exploited in ransomware attacks.

CISA’s alert comes roughly one week after Johannes Ullrich of the SANS Internet Storm Center warned of exploitation attempts targeting the vulnerability.

“We are seeing exploits for DELMIA Apriso related issues. The exploit we are seeing is a deserialization problem. The scans originate from 156.244.33.162,” he noted on September 3.

Ullrich’s analysis of the observed requests uncovered encoded strings decoding to a compressed Windows executable that did not trigger VirusTotal detections.

However, the payload was flagged as malicious by Hybrid Analysis and Ullrich concluded that the observed requests could originate from a vulnerability scanner.

Given the central role DELMIA Apriso has in connecting factory equipment with ERP systems, organizations are advised to address the exploited CVE as soon as possible.

Learn More at SecurityWeek’s ICS Cybersecurity Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 27-30, 2025 | Atlanta www.icscybersecurityconference.com

Related: Akira Ransomware Attacks Fuel Uptick in Exploitation of SonicWall Flaw

Related: Cisco Patches High-Severity IOS XR Vulnerabilities

Related: Comcast Wants a Slice of the Enterprise Cybersecurity Business

Related: Exposed Docker APIs Likely Exploited to Build Botnet