The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added CVE-2025-5086, a critical vulnerability in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The advisory assigns a CVSS score of 9.0 out of 10.0 and notes affected versions from Release 2020 through Release 2025. The KEV listing is tied to active exploitation observed in the wild, prompting urgent patching by organizations.
Dassault Systèmes acknowledged the issue and characterized it as a deserialization of untrusted data vulnerability that could lead to remote code execution. The company’s advisory indicates that the flaw affects DELMIA Apriso releases spanning from 2020 through 2025.
The matter has drawn attention from researchers after the SANS Internet Storm Center reported exploitation attempts targeting the flaw. The activity is linked to a campaign that sends an HTTP request to the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload that decodes to a Windows executable identified as fwitxz01.dll. SANS ISC diary and a GreyNoise IP report tie the activity to an IP geolocated to Mexico.
Security researchers at Kaspersky Lab have flagged the DLL payload as Trojan.MSIL.Zapchast.gen, a family historically associated with data skimming and espionage. Kaspersky describes it as a malware program designed to spy on user activity, including keystrokes and screenshots, with collected data exfiltrated via multiple channels. Kaspersky threat page notes that Zapchast variants have circulated for years, often distributed through phishing emails bearing malicious attachments. Bitdefender on Zapchast and Trend Micro threat encyclopedia provide additional context on this family.
In response to the evolving threat, U.S. federal agencies under the Federal Civilian Executive Branch (FCEB) were urged to apply the necessary updates by October 2, 2025, to secure networks against the exploited flaw. The KEV advisory linked above and Dassault’s security notice explain the scope of affected deployments and remediation steps.