Critical Vulnerability in Dassault Systèmes Software Identified
Overview of the Vulnerability
On September 12, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a crucial security vulnerability affecting Dassault Systèmes’ DELMIA Apriso Manufacturing Operations Management (MOM) software. This vulnerability, labeled as CVE-2025-5086, has been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog due to ongoing evidence of exploitation.
Severity and Impact
CVE-2025-5086 holds a high Common Vulnerability Scoring System (CVSS) score of 9.0, indicating its severity. This issue impacts multiple versions of the software, specifically those released between 2020 and 2025. According to a CISA advisory, the vulnerability arises from the deserialization of untrusted data, which could potentially allow for remote code execution, putting users’ systems at significant risk.
Evidence of Active Exploitation
This addition to the KEV catalog is not merely theoretical; active attempts to exploit this vulnerability have been reported. The SANS Internet Storm Center has identified targeted attacks originating from the IP address 156.244.33.162, which is traced back to Mexico. These reports are crucial in understanding the real-world implications of the vulnerability.
Method of Attack
The attacks involve sending specifically crafted HTTP requests to the endpoint "/apriso/WebServices/FlexNetOperationsService.svc/Invoke." These requests contain Base64-encoded payloads that decode to a GZIP-compressed Windows executable, identified as "fwitxz01.dll." The nature of these requests highlights the sophistication involved in targeting the software.
Malicious Payload Details
Kaspersky, a well-known cybersecurity firm, has flagged the identified DLL file as "Trojan.MSIL.Zapchast.gen." This type of malware is designed to spy on user activities, making it a significant threat. Its capabilities include capturing keyboard inputs, taking screenshots, and compiling a list of currently active applications. The data gathered by this Trojan is relayed to cybercriminals through various channels, including email, FTP, and HTTP requests.
Long-standing Malware Threat
The Zapchast variants have been noted for their distribution via phishing emails with malicious attachments for over a decade. While it remains unclear if the "Trojan.MSIL.Zapchast.gen" detected in these exploits is an upgraded version of previous malware, its tracking by cybersecurity experts emphasizes the continuous nature of such threats.
Recommended Actions for Organizations
Given the ongoing exploitation of CVE-2025-5086, CISA urges all Federal Civilian Executive Branch (FCEB) agencies to take immediate action. They are advised to implement necessary updates to their systems by October 2, 2025, to guard against potential breaches and secure their networks effectively.
Conclusion
As cyber threats continue to evolve, staying informed and proactive is essential for organizations using Dassault Systèmes’ DELMIA Apriso software. Timely updates and robust security measures are critical in safeguarding operations and preventing data breaches linked to this vulnerability.
