CISA Adds New Vulnerability to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a notable vulnerability affecting manufacturing operations management software in its Known Exploited Vulnerabilities (KEV) catalog. This marks a significant entry of an industrial control system (ICS) and operational technology (OT) vulnerability into the list, highlighting ongoing concerns in the manufacturing sector.
Understanding CVE-2025-5086
The identified vulnerability, known as CVE-2025-5086, is rated with a severity score of 9.0 due to its potential for deserialization of untrusted data. It impacts DELMIA Apriso, a software package developed by Dassault Systèmes that plays a crucial role in managing production processes and integrating factory activities with enterprise resource planning (ERP) systems. Specifically, this vulnerability affects all software releases from 2020 through 2025, creating a risk for remote code execution (RCE).
Recent Exploitation Attempts
In a blog entry dated September 3, Johannes Ullrich from the SANS Internet Storm Center (ISC) highlighted ongoing attempts to exploit CVE-2025-5086. The origin of these attacks appears to be linked to the IP address 156.244.33[.]162. The exploit targets the WebServices/FlexNetOperationsService service using SOAP requests, which include a payload coded in XML that decodes into a GZIP-compressed Windows executable. Alarmingly, security scans indicated that this payload remains undetected by most security tools, with only one identifying it on VirusTotal.
Further analyses by Cyble noted the presence of “Project Discovery CVE-2025-5086,” suggesting the scans could be conducted by a dedicated vulnerability scanner. A public scanning script for this vulnerability is available, increasing the likelihood of further attacks.
Impact on Manufacturing Environments
DELMIA Apriso is widely utilized across various industries, including aerospace, automotive, and consumer goods sectors. As it is integral to production and supply chain management, any breach could severely disrupt manufacturing operations. Therefore, it is critical for organizations reliant on this software to prioritize timely patching and mitigation strategies.
Ullrich expressed concerns regarding security measures in manufacturing settings, typically focusing on IoT devices integrated within production lines. He emphasized the challenge of securing many small sensors and actuators but also pointed to vulnerabilities in large-scale software systems like DELMIA Apriso that are essential for capping production tasks and linking factory operations with ERP systems. Such complex systems are not immune to bugs that can lead to significant security issues.
ICS/OT Vulnerabilities and CISA’s Recommendations
CISA’s inclusion of CVE-2025-5086 in the KEV catalog is particularly noteworthy, given the rarity of ICS and OT vulnerabilities appearing on this list. Historically, while many IT vulnerabilities are also relevant to ICS and OT products, the addition of industrial vulnerabilities is less common. The last similar entry was CVE-2023-6448, a 9.8-rated insecure default password issue found in Unitronics VisiLogic software prior to version 9.9.00, noted by CISA in December 2023.
In light of this new development, CISA has set a deadline of October 2 for Federal Civilian Executive Branch (FCEB) agencies to implement necessary updates related to CVE-2025-5086. Organizations using DELMIA Apriso or similar software platforms are encouraged to act swiftly to apply patches and bolster their cybersecurity defenses.
