CISA has issued a warning about a newly discovered and actively exploited vulnerability in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software. This flaw, identified as CVE-2025-5086, has now been officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after evidence confirmed real-world attacks.
With a CVSS severity score of 9.0 out of 10, CVE-2025-5086 ranks as a critical threat. It impacts DELMIA Apriso versions from Release 2020 through Release 2025. According to the vendor, Dassault Systèmes, the issue lies in the deserialization of untrusted data, which makes the software vulnerable to remote code execution (RCE). This means that attackers could potentially run malicious code on affected systems, gaining full control without needing physical access.
Reports from the SANS Internet Storm Center revealed that cybercriminals are already attempting to exploit this vulnerability. Exploitation attempts were detected from the IP address 156.244.33[.]162, which is geolocated to Mexico.
The attackers are targeting the “/apriso/WebServices/FlexNetOperationsService.svc/Invoke” endpoint in DELMIA Apriso by sending a malicious HTTP request. This request contains a Base64-encoded payload, which, when decoded, turns out to be a GZIP-compressed Windows executable file named fwitxz01.dll.
Security researchers discovered that this DLL file is actually malware. Kaspersky has identified it as Trojan.MSIL.Zapchast.gen, a dangerous program that specializes in electronic spying.
Once executed, the malware can:
Record keyboard input (keylogging)
Capture screenshots of the victim’s computer
Collect a list of running applications
Gather sensitive information without the user’s knowledge
The stolen data is then secretly sent back to the attacker using different methods, including email, FTP, or hidden HTTP requests.
This behavior makes Zapchast a highly effective surveillance tool for cybercriminals. According to Bitdefender and Trend Micro, Zapchast variants have been around for more than a decade and are often spread via phishing emails with infected attachments. While it’s not yet confirmed if this latest variant is an upgraded form of the malware, its active use in real-world attacks highlights the urgency of patching systems immediately.
Dassault Systèmes’ DELMIA Apriso is widely used in manufacturing industries around the world for operations management, logistics, and supply chain optimization. A successful cyberattack exploiting CVE-2025-5086 could disrupt production, leak intellectual property, or expose sensitive industrial data.
For cybercriminals and state-sponsored groups, targeting manufacturing software is attractive because it can give them leverage over critical infrastructure. In today’s threat landscape, such vulnerabilities are not just a risk to individual companies but also to entire supply chains.
In its advisory, CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary vendor updates no later than October 2, 2025. This deadline ensures federal systems remain protected against known exploits.
However, security experts stress that this guidance should not be limited to government agencies. Any organization using affected versions of DELMIA Apriso should take immediate action to safeguard their networks.
Recommended Security Steps:
Apply vendor patches without delay – Update DELMIA Apriso to the latest patched release provided by Dassault Systèmes.
Monitor network traffic – Look for suspicious connections to or from the endpoint
/apriso/WebServices/FlexNetOperationsService.svc/Invoke.Check for compromise – Scan systems for the presence of the fwitxz01.dll malware or other Zapchast-related indicators.
Harden defenses – Use endpoint detection and response (EDR) tools to block malicious payloads.
Educate employees – Since Zapchast variants are often distributed via phishing, staff training on identifying malicious emails remains crucial.
The inclusion of CVE-2025-5086 in the KEV catalog emphasizes a recurring theme in cybersecurity: attackers are quick to weaponize newly disclosed vulnerabilities. Even before many organizations have time to patch, malicious actors are scanning the internet for exposed systems.
For businesses, this incident is another reminder of why timely patch management, proactive monitoring, and layered defenses are essential. Ignoring critical vulnerabilities can result in data theft, ransomware attacks, or even full operational shutdowns.
CVE-2025-5086 in DELMIA Apriso is not just another security bug—it’s an actively exploited vulnerability with the potential to cause significant damage if left unpatched. With CISA sounding the alarm and exploitation attempts already detected in the wild, organizations must act fast.
For manufacturers and enterprises relying on DELMIA Apriso, applying updates and reinforcing defenses should be treated as an urgent priority. Cybercriminals are already on the move, and every day without a patch increases the risk of compromise.
Interesting Article : Microsoft Patch Tuesday September 2025 Including CVSS 10.0 Azure Flaw
Pingback: Critical Samsung Android Zero-Day Vulnerability CVE-2025-21043 Patched