Instead, the little public information that has emerged is from third party sources, most prominently last week when CISA added it to its Known Exploited Vulnerabilities (KEV) Catalog. This describes the flaw simply as “a deserialization of untrusted data vulnerability that could lead to a remote code execution,” with a CVSS score of 9.0, or ‘critical.’
Some days earlier, Johannes Ullrich of the SANS Internet Storm Center (ISC) published a separate alert on CVE-2025-5086 offering more context. It’s possible, though unconfirmed, that this advisory was the source for CISA’s warning.
“When I am thinking about the security of manufacturing environments, I am usually focusing on IoT devices integrated into production lines. All the little sensors and actuators are often very difficult to secure,” wrote Ullrich. “On the other hand, there is also ‘big software’ that is used to manage manufacturing.” Although it’s less frequently an issue, he noted, “complex systems like this have bugs, too.”
