CVE-2025-6204
published 2025-08-04CVE-2025-6204: An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker…
PriorityP186high8CVSS 3.1
AVNACHPRHUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-18
Exploited in the wild
EPSS
75.31%
99.5th percentile
An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3ds | delmia_apriso | 2020 – 2025 | — |
| dassault_syst_mes | delmia_apriso | Release 2020 Golden – Release 2020 SP4 | — |
| dassault_syst_mes | delmia_apriso | Release 2021 Golden – Release 2021 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2022 Golden – Release 2022 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2023 Golden – Release 2023 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2024 Golden – Release 2024 SP1 | — |
| dassault_syst_mes | delmia_apriso | Release 2025 Golden – Release 2025 SP1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/Apriso/MessageProcessor/FlexNetMessageProcessor.svc
url/Apriso/Portal/Kiosk/Login.aspx
url/Apriso/Portal/Kiosk/Login.aspx?BackToStartPage=true
path/Apriso/Portal/Uploads/<random>.asp
commandcmd /c whoami
otherSoapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
- →Alert on .asp (or other executable script) files appearing under /Apriso/Portal/Uploads/ — this directory should not contain executable artifacts and their presence indicates successful exploitation.
- →Monitor SOAP requests to FlexNetMessageProcessor.svc with action ProcessMessageASync_v2 as part of the pre-authentication step in the exploit chain.
- →The exploit is a multi-step chain: (1) SOAP call to FlexNetMessageProcessor.svc, (2) GET Login.aspx to harvest ASP.NET anti-forgery tokens, (3) POST Login.aspx to authenticate, (4) POST UploadFile with path-traversal filename to drop a .asp webshell, (5) GET the dropped .asp to execute it. Correlate these five sequential requests from the same source IP.
- →The dropped ASP webshell is self-deleting: it executes 'cmd /c whoami', writes output to the response, then calls fso.DeleteFile on itself. Look for short-lived .asp files in the Uploads directory and transient process creation (cmd.exe) spawned from the web server process.
- →The exploit uses hardcoded credentials (username: 'LAST', password: '9') in the SOAP authentication step; alert on login attempts with these values against the Apriso portal.
- →The upload response body contains the strings 'Uploads', 'ResultMessage', 'FilePath', 'Success', and the uploaded filename with .asp extension — use these as web-layer detection signatures in WAF or proxy logs.
- ·Affected versions span a wide range — DELMIA Apriso Release 2020 through Release 2025 — meaning all deployments in this range are vulnerable until patched. ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck8.0HIGH
cisa8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xxh4-727v-gjcv: An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an
ghsa_unreviewed·2025-08-04
CVE-2025-6204 [HIGH] CWE-94 GHSA-xxh4-727v-gjcv: An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an
An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.
VulnCheck
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
vulncheck·2025·CVSS 8.0
CVE-2025-6204 [HIGH] CWE-94 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.
Affected: Dassault Systèmes DELMIA Apriso
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2025-6204; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-11-18
CISA
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
cisa·2025-10-28·CVSS 8.0
CVE-2025-6204 [HIGH] CWE-94 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
Vulnerability: Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
Affected: Dassault Systèmes DELMIA Apriso
Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6204
Remediation Due Date: 2025-11-18
No detection rules found.
Nuclei
DELMIA Apriso - Command Injection
nuclei·CVSS 8.0
CVE-2025-6204 [HIGH] DELMIA Apriso - Command Injection
DELMIA Apriso - Command Injection
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Release 2025). When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place executable artifacts into web-served locations (via path traversal or insufficient normalization) and achieve remote code execution under the webserver context.
Template:
id: CVE-2025-6204
info:
name: DELMIA Apriso - Command Injection
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Rele
Bleepingcomputer
CISA warns of two more actively exploited Dassault vulnerabilities
blogs_bleepingcomputer·2025-10-28·CVSS 9.0
CVE-2025-6205 [CRITICAL] CISA warns of two more actively exploited Dassault vulnerabilities
## CISA warns of two more actively exploited Dassault vulnerabilities
## Sergiu Gatlan
The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes' DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution.
The first one ( CVE-2025-6205 ) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched application, while the second ( CVE-2025-6204 ) is a high-severity code injection vulnerability that lets attackers with high privileges execute arbitrary code on vulnerable systems.
French company Dassault Systèmes patched the two flaws in early August 2025, when it also confirme
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-08-04
Published
2025-10-28
Added to CISA KEV
Exploited in the wild