More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
RCE vulnerability in Dassault Systèmes’ manufacturing management platform now being actively targeted.
Credit: DC Studio / Shutterstock
Attackers have been spotted targeting a critical remote code execution (RCE) vulnerability in a key manufacturing management platform used by some of the world’s largest companies.
First made public on the maker’s site in June, the vulnerability is CVE-2025-5086 in Delmia Apriso, a Manufacturing Operations Management (MOM) platform from Dassault Systèmes best described as a giant piece of middleware that sits between and coordinates many manufacturing functions across production, machine maintenance, quality control, and inventory. It affects all versions from Release 2020 through Release 2025.
Despite the risk the vulnerability poses to a fundamental manufacturing system, Dassault Systèmes has offered only the barest details about the flaw or how it might be mitigated, even on its customer support portal.
Instead, the little public information that has emerged is from third party sources, most prominently last week when CISA added it to its Known Exploited Vulnerabilities (KEV) Catalog. This describes the flaw simply as “a deserialization of untrusted data vulnerability that could lead to a remote code execution,” with a CVSS score of 9.0, or ‘critical.’
Some days earlier, Johannes Ullrich of the SANS Internet Storm Center (ISC) published a separate alert on CVE-2025-5086 offering more context. It’s possible, though unconfirmed, that this advisory was the source for CISA’s warning.
“When I am thinking about the security of manufacturing environments, I am usually focusing on IoT devices integrated into production lines. All the little sensors and actuators are often very difficult to secure,” wrote Ullrich. “On the other hand, there is also ‘big software’ that is used to manage manufacturing.” Although it’s less frequently an issue, he noted, “complex systems like this have bugs, too.”
When he uploaded the exploit to VirusTotal, the infection was detected by only one anti-malware engine, Kaspersky, Ullrich found. This identified it as ‘MSIL.Zapchast.gen,’ a vague label applied to many Trojans that look a bit like the original Zapchast malware from 2006.
What it doesn’t do is offer any clues as to who is behind the attacks targeting Delmia Apriso, although the obvious worry will be exploits wielded by ransomware actors.
“The scans originate from 156.244.33.162,” with the string “Project Discovery CVE-2025-5086” within the executable. This suggested the attack had happened after reconnaissance by a vulnerability scanner, Ullrich speculated.
If so, a pessimistic interpretation of this is that the attackers knew what they were looking for and might therefore not be the first to attempt such a scan.
Rough patch
The Dassault Systèmes website currently showcases 556 companies using the platform in their operations, which is likely only a sample of the full customer base. The company acquired the software under its Delmia brand when it bought US software company Apriso in 2013.
For any manufacturer using it, many of whom will be large, global enterprises, it will be a fundamental platform without which they’d struggle to operate. This dependence explains why taking down the numerous manufacturing processes managed by Delmia Apriso as part of a patching process is unlikely to be simple.
CSOonline approached Dassault Systèmes for more detail on how customers should mitigate or manage the issue, but received no comment by press time.
However, the administration documentation indicates that the software has followed an annual release schedule each year since 2020, which means that updates will be for any one of six versions. Security fixes seem to occur as part of service packs, for which the customer must initiate downloads.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
John E. Dunn is a veteran cybersecurity reporter, specializing in crisis response, ransomware, data breaches, encryption, quantum computing and QKD, DevSecOps, managed services, cybersecurity in education, retail cybersecurity, vulnerability reporting, and cybersecurity ethics.
John is a former editor of the UK editions of Personal Computer Magazine, LAN Magazine, and Network World. In 2003 he co-founded Techworld, since when he has covered cybersecurity and business computing for a range of publications including Computerworld, Forbes, Naked Security, The Register, and The Times.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ysx4dcu.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
