What the vulnerability does
01Description
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
CVE-2025-5086
CRITICAL
CVE-2025-5086: Deserialization of Untrusted Data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025
CVSS base score
9.0/10
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA mandated remediation
02CISA Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Key dates
03Disclosure timeline
June 2, 2025
CVE published
February 26, 2026
Record updated
External resources
04References
NVD — National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2025-5086
CWE — Common Weakness Enumeration
https://cwe.mitre.org/data/definitions/502.html
CISA KEV Reference
https://www.3ds.com/trust-center/security/security-advisories/…
CISA KEV Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-5086
Related vulnerabilities
05Related CVE
CVE-2024-23328 The Dataease datasource exists deserialization and arbitrary file read vulnerability
CVE-2023-52206 WordPress Page Builder: Live Composer Plugin <= 1.5.25 is vulnerable to PHP Object Injection
CVE-2024-23513 WordPress PropertyHive Plugin <= 2.0.5 is vulnerable to PHP Object Injection
CVE-2026-49121 AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization
CVE-2019-10135
