The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers exploiting a critical remote code execution flaw in DELMIA Apriso, a  manufacturing operations management (MOM) and execution (MES) solution from French company Dassault Systèmes.

The agency added the vulnerability, tracked as CVE-2025-5086 and rated with a critical severity score (CVSS v3: 9.0), to the Known Exploited Vulnerabilities (KEV).

DELMIA Apriso is used in production processes for digitalizing and monitoring. Enterprises worlwide rely on it to schedule production, for quality management, allocate resources, warehouse management, and for integration between production equipment and business applications.

It is typically deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions, where high quality control, traceability, compliance, and a high level of process standardization are critical.

The flaw is a deserialization of untrusted data vulnerability that may lead to remote code execution (RCE).

The vendor disclosed the issue on June 2, noting that it impacts all versions of DELMIA Apriso from Release 2020 through Release 2025, without sharing many details.

On September 3, threat researcher Johannes Ullrich published a post on SANS ISC disclosing observation of active exploitation attempts leveraging CVE-2025-5086.

The observed exploit involves sending a malicious SOAP request to vulnerable endpoints that loads and executes a Base64-encoded, GZIP-compressed .NET executable embedded in the XML.

The actual payload is a Windows executable tagged as malicious by Hybrid Analysis and flagged only by one engine in VirusTotal.

The malicious requests were observed originating from the IP 156.244.33[.]162, likely associated with automated scans.

CISA has not linked to the Ullrich report, so it is unclear if this is the report that prompted them to add CVE-2025-5086 to KEV, or if they had a separate source confirming exploitation.

The U.S. government agency is now giving the federal enterprise sector until October 2 to apply available security updates or mitigations, or stop using DELMIA Apriso.

Although the BOD 22-01 guidance is binding only for federal agencies, private organizations around the world should also consider CISA’s warning and take appropriate action.