Industrial and Manufacturing Systems Face Cyber Espionage Like Attacks via DELMIA Apriso Flaw
Published
- Critical Flaw: CVE-2025-5086 affects DELMIA Apriso versions 2020 to 2025.
- Exploitation via HTTP Endpoint: Attackers deliver spyware via a GZIP-compressed DLL payload.
- Active Threat Confirmed: The flaw is listed in the Known Exploited Vulnerabilities catalog.
A critical remote code execution flaw in Dassault Systèmes' DELMIA Apriso MES software is under active attack. The bug, tracked as CVE-2025-5086, which allows the execution of arbitrary code, has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.
The vulnerability has been linked to spyware targeting industrial systems.
Dassault Systèmes DELMIA Apriso Vulnerability Exploitation for Cyber Espionage
Dassault Systèmes is the French software company that develops DELMIA Apriso. The flaw stems from the deserialization of untrusted data and affects DELMIA Apriso releases from 2020 through 2025. According to security researchers, it is exploited by sending an HTTP request to the endpoint: /apriso/WebServices/FlexNetOperationsService.svc/Invoke.
It delivers a GZIP-compressed DLL payload to execute spyware on targeted systems.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” noted the CISA advisory.
To mitigate risk, cybersecurity experts are urging action against the operational risk posed to industries.
“Organizations that use Dassault Systèmes DELMIA Apriso MOM software should treat CVE-2025-5086 as an immediate priority,” said Jason Soroko, Senior Fellow at Sectigo, a Scottsdale-based certificate lifecycle management provider.
Risks Posed by the Exploitation of Dassault Systèmes DELMIA Apriso Vulnerability
Kaspersky, in its analysis, identified the Dynamic Link Library (DLL) payload as Trojan.MSIL.Zapchast.gen. It is a spyware variant that can intercept keystrokes, capture screenshots, and spy on active applications.
It can be further leveraged for data exfiltration and stealing credentials.
A DLL is a file format on Windows for data or code that can be used across programs. It allows applications to run functions without having to add all the code again. Attackers may use this plant spyware on targeted systems.
Cybersecurity Experts Comment on the Rising Threat to Manufacturing Sector
Mayuresh Dani, Security Research Manager at the Qualys Threat Research Unit, warns that this vulnerability could have far-reaching consequences inside interconnected industrial environments.
“DELMIA Apriso is a Manufacturing Execution System (MES) that finds its place in enterprise resource and production line planning systems. Hence, this vulnerability has a high potential for lateral movement once initial compromise occurs.
“Manufacturing environments typically have interconnected systems reaching beyond publicly accessible systems,” Dani further added.
The SANS Internet Storm Center, a threat monitoring and analysis center, reported that exploit attempts originated from IP address 156.244.33.162. It was likely traceable to Mexico, Argentina, or the Seychelles.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular