cbcvebase.
CVE-2025-6204
published 2025-08-04

CVE-2025-6204: An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker…

PriorityP186high8CVSS 3.1
AVNACHPRHUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-18
Exploited in the wild
EPSS
75.31%
99.5th percentile
An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.

Affected

7 ranges
VendorProductVersion rangeFixed in
3dsdelmia_apriso2020 – 2025
dassault_syst_mesdelmia_aprisoRelease 2020 Golden – Release 2020 SP4
dassault_syst_mesdelmia_aprisoRelease 2021 Golden – Release 2021 SP3
dassault_syst_mesdelmia_aprisoRelease 2022 Golden – Release 2022 SP3
dassault_syst_mesdelmia_aprisoRelease 2023 Golden – Release 2023 SP3
dassault_syst_mesdelmia_aprisoRelease 2024 Golden – Release 2024 SP1
dassault_syst_mesdelmia_aprisoRelease 2025 Golden – Release 2025 SP1

Detection & IOCsextracted from sources · hover to see the quote

url/Apriso/MessageProcessor/FlexNetMessageProcessor.svc
url/Apriso/Portal/Kiosk/Login.aspx
url/Apriso/Portal/Kiosk/Login.aspx?BackToStartPage=true
path/Apriso/Portal/Uploads/<random>.asp
commandcmd /c whoami
otherSoapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
  • Alert on .asp (or other executable script) files appearing under /Apriso/Portal/Uploads/ — this directory should not contain executable artifacts and their presence indicates successful exploitation.
  • Monitor SOAP requests to FlexNetMessageProcessor.svc with action ProcessMessageASync_v2 as part of the pre-authentication step in the exploit chain.
  • The exploit is a multi-step chain: (1) SOAP call to FlexNetMessageProcessor.svc, (2) GET Login.aspx to harvest ASP.NET anti-forgery tokens, (3) POST Login.aspx to authenticate, (4) POST UploadFile with path-traversal filename to drop a .asp webshell, (5) GET the dropped .asp to execute it. Correlate these five sequential requests from the same source IP.
  • The dropped ASP webshell is self-deleting: it executes 'cmd /c whoami', writes output to the response, then calls fso.DeleteFile on itself. Look for short-lived .asp files in the Uploads directory and transient process creation (cmd.exe) spawned from the web server process.
  • The exploit uses hardcoded credentials (username: 'LAST', password: '9') in the SOAP authentication step; alert on login attempts with these values against the Apriso portal.
  • The upload response body contains the strings 'Uploads', 'ResultMessage', 'FilePath', 'Success', and the uploaded filename with .asp extension — use these as web-layer detection signatures in WAF or proxy logs.
  • ·Affected versions span a wide range — DELMIA Apriso Release 2020 through Release 2025 — meaning all deployments in this range are vulnerable until patched.

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck8.0HIGH
cisa8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.