The US cybersecurity agency CISA on 27 October 2025 warned that two recent vulnerabilities in DELMIA Apriso factory software have been exploited in attacks. A manufacturing operations management (MOM) and manufacturing execution system (MES) software made by the French company Dassault Systèmes, DELMIA Apriso, enables the management of the entire manufacturing process. The two flaws flagged as exploited are tracked as CVE-2025-6204 (CVSS score of 8.0) and CVE-2025-6205 (CVSS score of 9.1) and affect DELMIA Apriso from release 2020 through release 2025.
CVE-2025-6204 is described as a code injection bug that allows attackers to execute arbitrary code, while CVE-2025-6205 is a missing authorization issue that can be exploited to gain privileged access to the application. According to ProjectDiscovery, the two security defects can be chained together to create accounts with elevated privileges and then place executable files into a web-served directory. “The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning. Separately, the product exposes a file upload API used by portal components, but that is accessible only post-authentication,” ProjectDiscovery notes.
Attackers can send unauthenticated requests to the SOAP message processor to create an arbitrary account and assign it high privileges. Then, they can authenticate as the newly created user and drop executables into the server’s web root. Dassault Systèmes released patches and bare-bones advisories for the two vulnerabilities on August 4, 2025, and Project Discovery published technical details on September 23, 2025.
Now, CISA says that both issues have been exploited in the wild, by adding them to its Known Exploited Vulnerabilities (KEV) list. As mandated by Binding Operational Directive (BOD) 22-01, federal agencies are required to patch the flaws within three weeks. While BOD 22-01 only applies to federal agencies, all organizations should review CISA’s KEV list and apply patches and mitigations for the security defects it describes.
To hunt for potential compromise through vulnerable DELMIA Apriso deployments, organizations should check for newly created privileged accounts and should scan directories for executables such as webshells.
In September 2025, CISA warned that threat actors have been exploiting another DELMIA Apriso vulnerability, CVE-2025-5086 (CVSS score of 9.0), which could lead to remote code execution.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments