Executive Summary

On October 28, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive concerning two vulnerabilities in Dassault Systèmes' DELMIA Apriso manufacturing operations management (MOM) platform. The vulnerabilities, CVE-2025-6205 and CVE-2025-6204, have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The more critical flaw, CVE-2025-6205, is a missing authorization vulnerability (CVSS 9.1) that allows an unauthenticated attacker to create a privileged user account. This can be chained with CVE-2025-6204, a code injection flaw (CVSS 8.0), to achieve remote code execution and full system takeover. Given the platform's prevalence in critical manufacturing, CISA has mandated that federal agencies patch affected systems by November 18, 2025.

Vulnerability Details

The two vulnerabilities create a critical attack chain:

1. CVE-2025-6205 - Missing Authorization (CVSS 9.1 - Critical): This vulnerability allows a remote, unauthenticated attacker to create a new user account with high privileges on a target DELMIA Apriso system. This effectively bypasses all authentication controls.
2. CVE-2025-6204 - Code Injection (CVSS 8.0 - High): This vulnerability allows a privileged user to execute arbitrary code. An attacker can leverage the account created via CVE-2025-6205 to exploit this second flaw.

The combination of these two flaws, T1190 - Exploit Public-Facing Application followed by code execution, allows for a complete compromise of the affected manufacturing system.

Affected Systems

• Product: Dassault Systèmes DELMIA Apriso
• Affected Versions: Release 2020 through Release 2025

Patches were made available by Dassault Systèmes in early August 2025.

Exploitation Status

According to CISA, both vulnerabilities are being actively exploited in the wild. The specific threat actors or campaigns leveraging these exploits have not been publicly disclosed. The addition to the KEV catalog confirms that these are not theoretical risks but are being used in real-world attacks. This elevates the urgency for all organizations using the affected software to apply patches immediately.

Impact Assessment

A successful exploit of this vulnerability chain could have devastating consequences for manufacturing organizations.

• Production Halts: The DELMIA Apriso platform manages critical production processes. An attacker could disrupt or completely shut down manufacturing lines, leading to massive financial losses.
• Data Theft: Attackers could steal sensitive intellectual property, such as product designs, manufacturing processes, and proprietary formulas.
• Sabotage: An attacker could maliciously alter production parameters, leading to defective products, quality control issues, and potential safety risks.
• Ransomware: A compromised MOM system is a prime target for ransomware deployment, as organizations may be more willing to pay to restore critical production capabilities.
• Lateral Movement: The compromised server could be used as a pivot point to attack other systems within the corporate or industrial control system (ICS) network.

Detection Methods

D3FEND Technique: Detection should focus on D3-UBA - User Behavior Analysis to spot the creation of unauthorized privileged accounts and D3-FA - File Analysis on web directories.

1. Audit for Unauthorized Accounts: The most direct indicator of compromise is the presence of newly created, unauthorized user accounts, especially those with high privileges. Regularly audit user accounts on all DELMIA Apriso servers.
2. Web Server Log Analysis: Monitor web server logs for suspicious requests that may indicate exploitation attempts against the application. Look for unusual POST requests or patterns associated with the exploit chain.
3. File Integrity Monitoring: Monitor web-accessible directories for the creation of unexpected or malicious files (e.g., .jsp, .aspx, .exe). An attacker exploiting CVE-2025-6204 would likely drop a file to achieve code execution.
4. Vulnerability Scanning: Use vulnerability scanners with up-to-date plugins to identify unpatched DELMIA Apriso instances on the network.

Remediation Steps

D3FEND Countermeasure: The primary countermeasure is D3-SU - Software Update. If patching is not immediately possible, Harden techniques like D3-ITF - Inbound Traffic Filtering are critical.

1. Patch Immediately: The top priority is to upgrade all affected DELMIA Apriso systems to a patched version as specified by Dassault Systèmes.
2. Restrict Access: As a temporary mitigation, restrict network access to the DELMIA Apriso application. Limit access to only trusted IP addresses and users. Do not expose the application directly to the internet if possible.
3. Hunt for Compromise: After patching, thoroughly inspect systems for signs of compromise. Check for any unauthorized user accounts created before the patch was applied and remove them. Review logs for suspicious activity dating back several weeks.
4. Network Segmentation: Ensure that the MOM system is properly segmented from the broader corporate IT network to limit an attacker's ability to move laterally if the system is compromised.