Article Details
Scrape Timestamp (UTC): 2025-09-12 12:14:46.649
Source: https://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.html
Original Article Text
Click to Toggle View
Critical CVE-2025-5086 in DELMIA Apriso Actively Exploited, CISA Issues Warning. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-5086, carries a CVSS score of 9.0 out of 10.0. According to Dassault, the issue impacts versions from Release 2020 through Release 2025. "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution," the agency said in an advisory. The addition of CVE-2025-5086 to the KEV catalog comes after the SANS Internet Storm Center reported seeing exploitation attempts targeting the flaw that originate from the IP address 156.244.33[.]162, which geolocates to Mexico. The attacks involve sending an HTTP request to the "/apriso/WebServices/FlexNetOperationsService.svc/Invoke" endpoint with a Base64-encoded payload that decodes to a GZIP-compressed Windows executable ("fwitxz01.dll"), Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said. Kaspersky has flagged the DLL as "Trojan.MSIL.Zapchast.gen," which the company describes as a malicious program designed to electronically spy on a user's activities, including capturing keyboard input, taking screenshots, and gathering a list of active applications, among others. "The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request)," the Russian cybersecurity vendor added. Zapchast variants, according to Bitdefender and Trend Micro, have been distributed via phishing emails bearing malicious attachments for over a decade. It's currently not clear if "Trojan.MSIL.Zapchast.gen" is an improved version of the same malware. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary updates by October 2, 2025, to secure their networks.
Daily Brief Summary
CISA has added CVE-2025-5086, a critical flaw in Dassault Systèmes DELMIA Apriso software, to its Known Exploited Vulnerabilities catalog due to active exploitation.
The vulnerability, affecting versions from Release 2020 to 2025, allows remote code execution through deserialization of untrusted data, posing significant security risks.
Exploitation attempts have been traced to an IP address in Mexico, involving HTTP requests with Base64-encoded payloads targeting specific software endpoints.
The payload decodes to a GZIP-compressed Windows DLL, identified as "Trojan.MSIL.Zapchast.gen," capable of electronic surveillance and data exfiltration.
"Trojan.MSIL.Zapchast.gen" has been linked to phishing campaigns over the past decade, with capabilities to capture keystrokes, screenshots, and active application lists.
Federal Civilian Executive Branch agencies have been instructed to implement necessary updates by October 2, 2025, to mitigate potential threats.
Organizations using affected software should prioritize patching and monitoring for unusual network activity to protect against exploitation.