Today CISA added a deserialization of untrusted data (CVE-2025-5086) vulnerability in the Dassault Systèmes DELMIA Apriso product to their Known Exploited Vulnerability (KEV) catalog. Dassault Systèmes published their advisory for the vulnerability in June; the details of the advisory (including remediation are only available to registered customers). On September 3rd, the SANS Internet Storm Center reported the first observed exploits of the vulnerability.
CISA is requiring federal agencies using the affected product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The deadline for achieving that is October 2nd, 2025.
NOTE: The ISC report includes an interesting description of the affected product:
“When I am thinking
about the security of manufacturing environments, I am usually focusing on IoT
devices integrated into production lines. All the little sensors and actuators
are often very difficult to secure. On the other hand, there is also "big
software" that is used to manage manufacturing. One example is DELMIA
Apriso by Dassault Systèmes. This type of Manufacturing Operation Management
(MOM) or Manufacturing Execution System (MES) ties everything together and
promises to connect factory floors to ERP systems.”
Posts
No comments:
Post a Comment