The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new critical vulnerability, CVE-2025-5086, to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active attacks targeting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software.
Details of the Vulnerability
The flaw, rated CVSS 9.0 (critical), affects DELMIA Apriso versions from Release 2020 through Release 2025. According to Dassault, this issue stems from the deserialization of untrusted data, which can allow remote code execution (RCE) on targeted systems.
Exploitation Attempts Reported
The SANS Internet Storm Center detected live exploitation attempts linked to an IP address (156.244.33[.]162) traced to Mexico. Attackers are sending specially crafted HTTP requests to the endpoint:
/apriso/WebServices/FlexNetOperationsService.svc/InvokeThese requests carry a Base64-encoded payload that expands into a GZIP-compressed Windows DLL file (fwitxz01.dll).
Malware Connection: Zapchast Trojan
Security vendors including Kaspersky, Bitdefender, and Trend Micro have identified this DLL as Trojan.MSIL.Zapchast.gen, a spyware tool capable of:
- Recording keystrokes
- Capturing screenshots
- Collecting details about active applications
The stolen data is then exfiltrated through email, FTP, or HTTP requests.
While variants of Zapchast malware have been distributed through phishing emails for over a decade, researchers are still analyzing whether this latest version represents a more advanced evolution.
CISA’s Security Advisory
CISA has instructed Federal Civilian Executive Branch (FCEB) agencies to apply security updates no later than October 2, 2025, to defend against ongoing exploitation attempts.
