CVE-2025-5086
Published: 02 June 2025
Summary
CVE-2025-5086 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in 3Ds Delmia Apriso. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
A deserialization of untrusted data vulnerability, tracked as CVE-2025-5086 and assigned CWE-502, affects Dassault Systèmes DELMIA Apriso releases from 2020 through 2025. The flaw carries a CVSS 3.1 score of 9.0 with a network attack vector, high complexity, no required privileges or user interaction, and changed scope, enabling remote code execution that can fully compromise confidentiality, integrity, and availability.
An unauthenticated attacker able to supply crafted serialized data over the network can trigger arbitrary code execution on affected systems. The high complexity rating indicates that successful exploitation requires specific conditions, yet the absence of authentication or user interaction lowers the barrier once those conditions are met.
Vendor advisories hosted at 3ds.com detail available patches and mitigation steps for supported releases, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. A SANS Internet Storm Center diary documents observed exploit attempts against the vulnerability.
The EPSS score reached a peak of 0.4651 and remains elevated at 0.4139, reflecting a clear post-disclosure increase in exploitation interest that warrants renewed defensive attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16682
Vulnerability details
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
- CWE(s)
- KEV Date Added
- 11 September 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized input before deserialization, blocking the CWE-502 vector that leads to RCE.
Enforces malicious-code detection and blocking mechanisms that can identify and stop execution of code resulting from unsafe deserialization.
Requires integrity verification of software and data, enabling detection of unauthorized code or objects introduced via the deserialization flaw.