Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Description
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Remediation
FEDERAL DEADLINE: October 1, 2025 (20 days). Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. FEDERAL DEADLINE: October 1, 2025 (20 days). Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA KEV Details
Deadline: October 1, 2025
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
---METADATA---
VENDOR: ZenTao
PRODUCT: ZenTaoPMS
AFFECTED_VERSIONS: v18.11 through v21.6.beta
---END_METADATA---
Description Summary:
ZenTaoPMS is vulnerable to a directory traversal flaw in its AI module, enabling unauthenticated attackers to achieve remote code execution via malicious file uploads.
Executive Summary:
A critical directory traversal vulnerability in ZenTaoPMS allows unauthenticated attackers to execute arbitrary code on the server through a crafted file upload.
Vulnerability Details
CVE-ID: CVE-2025-50857
Affected Software: ZenTao ZenTaoPMS
Affected Versions: v18.11 through v21.6.beta
Vulnerability: The vulnerability is located in the
/module/ai/control.phpcomponent. It allows for directory traversal, which an unauthenticated attacker can leverage to upload and execute arbitrary files, leading to full system compromise.Business Impact
With a CVSS score of 9.8, this vulnerability represents a maximum-severity risk. A successful exploit allows for Remote Code Execution (RCE), giving attackers full access to the server, sensitive project management data, and the ability to pivot into the internal network.
Remediation Plan
Immediate Action: Update ZenTaoPMS to the latest stable version that addresses the directory traversal flaw in the AI module.
Proactive Monitoring: Scan the web server for unauthorized PHP files or shells, particularly in the
/module/ai/directory and temporary upload folders.Compensating Controls: Implement a Web Application Firewall (WAF) with rules to block directory traversal patterns (e.g.,
../) and restrict file upload types at the server level.Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 26, 2026, there is no public information indicating active exploitation. However, RCE vulnerabilities in project management software are frequently targeted by ransomware groups and state-sponsored actors.
Analyst Recommendation
Due to the potential for unauthenticated Remote Code Execution, this vulnerability must be addressed with the highest priority. Apply the vendor-provided security patches immediately to mitigate the risk of a complete server takeover.