Two additional flaws in Dassault Systèmes DELMIA Apriso exploited

On October 28, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6204 and CVE-2025-6205 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

These flaws affect DELMIA Apriso, a manufacturing operations management and execution platform developed by Dassault Systèmes. This update is in addition to CISA’s September 2025 advisory regarding CVE-2025-5086, a remote code execution vulnerability in the same platform.

CVE-2025-6205 is a critical vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.1 out of 10. It is due to missing authorization, and could allow an unauthenticated threat actor to create a new user account with elevated privileges; specifically, the “Production User” role. Exploitation does not require authentication, making it relatively easy to execute remotely.

CVE-2025-6204 is a high-severity injection flaw rated with a CVSS score of 8. It could enable a user with elevated privileges to execute malicious code. The flaw requires privileged access, which may be obtained through lateral movement or chaining with other vulnerabilities.

For example, after using CVE-2025-6205 to create new credentials, the attacker would be able to leverage CVE-2025-6204 to upload a malicious file into a directory served by the web server. This would result in remote code execution under the web server’s context.

Both vulnerabilities affect DELMIA Apriso versions from Release 2020 through Release 2025. Dassault Systèmes released patches for these flaws in early August 2025.

DELMIA Apriso is widely used in industrial environments to manage and automate manufacturing operations. It integrates with enterprise resource planning systems and supports real-time visibility and control across production lines. Organizations using this platform include manufacturers in automotive, aerospace, electronics, and other sectors with complex supply chains and production workflows.

Analyst insight

CISA has not attributed these exploits to a specific threat actor. However, the nature of the vulnerabilities and their inclusion in the KEV catalog suggest they are being leveraged by advanced persistent threat groups or criminal actors targeting industrial control systems.

Together, these flaws form a low-effort, high-impact exploit. The first vulnerability bypasses authentication, while the second enables code execution with little post-authentication interaction. The chaining of these two flaws could lead to a full compromise of manufacturing execution environments, disruption of production workflows, and potential manipulation of operational data. This could result in downtime, safety risks, and financial losses.

Mitigation recommendations include applying Dassault Systèmes’ security updates released in August 2025. Where patching is delayed, network segmentation and access control policies may reduce exposure. Monitoring for indicators of compromise and reviewing privileged access logs can help detect potential exploitation.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up