Cyber Resilience

CVE-2025-5086

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 June 2025

Published
02 June 2025
Modified
29 October 2025
KEV Added
11 September 2025
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4139 97.5th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5086 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in 3Ds Delmia Apriso. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

A deserialization of untrusted data vulnerability, tracked as CVE-2025-5086 and assigned CWE-502, affects Dassault Systèmes DELMIA Apriso releases from 2020 through 2025. The flaw carries a CVSS 3.1 score of 9.0 with a network attack vector, high complexity, no required privileges or user interaction, and changed scope, enabling remote code execution that can fully compromise confidentiality, integrity, and availability.

An unauthenticated attacker able to supply crafted serialized data over the network can trigger arbitrary code execution on affected systems. The high complexity rating indicates that successful exploitation requires specific conditions, yet the absence of authentication or user interaction lowers the barrier once those conditions are met.

Vendor advisories hosted at 3ds.com detail available patches and mitigation steps for supported releases, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. A SANS Internet Storm Center diary documents observed exploit attempts against the vulnerability.

The EPSS score reached a peak of 0.4651 and remains elevated at 0.4139, reflecting a clear post-disclosure increase in exploitation interest that warrants renewed defensive attention.

EU & UK References

Vulnerability details

A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.

CWE(s)
KEV Date Added
11 September 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

3ds
delmia apriso
2020 — 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized input before deserialization, blocking the CWE-502 vector that leads to RCE.

preventdetect

Enforces malicious-code detection and blocking mechanisms that can identify and stop execution of code resulting from unsafe deserialization.

detectrespond

Requires integrity verification of software and data, enabling detection of unauthorized code or objects introduced via the deserialization flaw.

References