PatchSiren cyber security CVE debrief
CVE-2025-5086 Dassault Systèmes CVE debrief
CVE-2025-5086 is a Dassault Systèmes DELMIA Apriso deserialization of untrusted data vulnerability that CISA has added to its Known Exploited Vulnerabilities catalog. That KEV listing means CISA considers the issue actively exploited or otherwise confirmed as exploited. The supplied corpus does not include affected versions, CVSS scoring, or patch build details, so defenders should use the vendor’s security guidance and CISA’s remediation deadline as the primary timing signal.
- Vendor
- Dassault Systèmes
- Product
- DELMIA Apriso
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-09-11
- Original CVE updated
- 2025-09-11
- Advisory published
- 2025-09-11
- Advisory updated
- 2025-09-11
Who should care
Security, IT, and application owners responsible for Dassault Systèmes DELMIA Apriso deployments should treat this as a priority, especially teams supporting production environments or externally reachable instances.
Technical summary
The vulnerability is described at a high level as a deserialization of untrusted data issue in DELMIA Apriso. The supplied source set does not provide exploitation preconditions, affected release ranges, or a fixed-version list. CISA’s KEV entry confirms the CVE is important enough for mandated remediation tracking and directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable.
Defensive priority
High. CISA added CVE-2025-5086 to the KEV catalog on 2025-09-11 and set a due date of 2025-10-02. Organizations running DELMIA Apriso should immediately inventory exposure, follow vendor mitigation guidance, and complete remediation before the KEV due date.
Recommended defensive actions
- Inventory all Dassault Systèmes DELMIA Apriso deployments and identify any instances exposed to untrusted networks or shared with external parties.
- Review the Dassault Systèmes security advisory referenced by CISA for CVE-2025-5086 and apply all vendor-recommended mitigations as soon as possible.
- If mitigations are unavailable or cannot be deployed safely, follow CISA guidance to discontinue use of the product or otherwise remove exposure.
- For cloud-hosted usage, follow applicable CISA BOD 22-01 guidance in addition to vendor instructions.
- Validate the environment after mitigation and continue monitoring for vendor updates or revised guidance through the CISA KEV entry and official CVE/NVD records.
Evidence notes
This debrief is based on the supplied CISA KEV record and official CVE/NVD resource links. The source corpus explicitly provides the vendor project (Dassault Systèmes), product (DELMIA Apriso), vulnerability name, KEV dateAdded (2025-09-11), dueDate (2025-10-02), and required action text. The corpus does not supply CVSS, affected versions, exploit details, or patch identifiers.
Official resources
-
CVE-2025-5086 CVE record
CVE.org
-
CVE-2025-5086 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
CISA listed CVE-2025-5086 in the Known Exploited Vulnerabilities catalog on 2025-09-11, with a remediation due date of 2025-10-02. The supplied corpus does not include exploit mechanics, affected-version ranges, or patch-level details.