Skip to main content

CVE-2025-5086: CWE-502 Deserialization of Untrusted Data in Dassault Systèmes DELMIA Apriso

Critical
VulnerabilityCVE-2025-5086cvecve-2025-5086cwe-502
Published: Mon Jun 02 2025 (06/02/2025, 17:42:42 UTC)
Source: CVE Database V5
Vendor/Project: Dassault Systèmes
Product: DELMIA Apriso

Description

A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.

AI-Powered Analysis

AILast updated: 07/11/2025, 03:04:07 UTC

Technical Analysis

CVE-2025-5086 is a critical vulnerability identified in Dassault Systèmes' DELMIA Apriso product, spanning releases from 2020 Golden through 2025 Golden. The vulnerability is classified under CWE-502, which pertains to the deserialization of untrusted data. Deserialization vulnerabilities occur when an application deserializes data from untrusted sources without sufficient validation or sanitization, potentially allowing attackers to craft malicious serialized objects that, when deserialized, can execute arbitrary code. In this case, the flaw enables remote code execution (RCE) without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). The attack vector is network-based, but the attack complexity is high, suggesting that exploitation requires specific conditions or crafted payloads. The vulnerability affects multiple major releases of DELMIA Apriso, a manufacturing operations management software widely used in industrial environments for production planning, execution, and monitoring. The deserialization flaw could allow an attacker to execute arbitrary code remotely, compromising confidentiality, integrity, and availability of the affected systems. The vulnerability has been publicly disclosed as of June 2, 2025, but no known exploits are reported in the wild yet. No official patches have been linked at the time of disclosure, which increases the urgency for organizations to implement mitigations and monitor for updates from Dassault Systèmes.

Potential Impact

For European organizations, especially those in manufacturing, automotive, aerospace, and industrial sectors where DELMIA Apriso is deployed, this vulnerability poses a significant risk. Successful exploitation could lead to full system compromise, enabling attackers to steal sensitive intellectual property, disrupt production lines, manipulate manufacturing processes, or cause denial of service. Given the critical role of DELMIA Apriso in operational technology (OT) environments, an incident could have cascading effects on supply chains and industrial productivity. The confidentiality breach could expose proprietary manufacturing data, while integrity violations might result in defective products or safety hazards. Availability impacts could halt production, causing financial losses and reputational damage. The lack of authentication and user interaction requirements means attackers can potentially exploit this vulnerability remotely and autonomously, increasing the threat surface. European organizations with interconnected IT and OT networks are particularly vulnerable to lateral movement and escalation following exploitation.

Mitigation Recommendations

Immediate mitigation steps should include network segmentation to isolate DELMIA Apriso servers from untrusted networks and restrict inbound traffic to only trusted management stations. Organizations should implement strict firewall rules and intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous deserialization activity or unusual network traffic patterns targeting DELMIA Apriso. Monitoring logs for unexpected deserialization errors or suspicious remote connections is critical. Until official patches are released, consider disabling or restricting features that accept serialized input from untrusted sources if feasible. Employ application-layer gateways or proxies that can validate or sanitize serialized data. Engage with Dassault Systèmes support channels to obtain early access to patches or workarounds. Conduct thorough vulnerability assessments and penetration testing focused on deserialization attack vectors. Additionally, ensure robust backup and incident response plans are in place to minimize impact in case of compromise.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
3DS
Date Reserved
2025-05-22T11:43:30.702Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683de64b182aa0cae24f7c49

Added to database: 6/2/2025, 5:58:35 PM

Last enriched: 7/11/2025, 3:04:07 AM

Last updated: 8/16/2025, 2:20:53 PM

Views: 163

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats