cbcvebase.
CVE-2025-6205
published 2025-08-04

CVE-2025-6205: A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the…

PriorityP195critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-18
Exploited in the wild
EPSS
69.17%
99.3th percentile
A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.

Affected

7 ranges
VendorProductVersion rangeFixed in
3dsdelmia_apriso>= 2020 < 20252025
dassault_syst_mesdelmia_aprisoRelease 2020 Golden – Release 2020 SP4
dassault_syst_mesdelmia_aprisoRelease 2021 Golden – Release 2021 SP3
dassault_syst_mesdelmia_aprisoRelease 2022 Golden – Release 2022 SP3
dassault_syst_mesdelmia_aprisoRelease 2023 Golden – Release 2023 SP3
dassault_syst_mesdelmia_aprisoRelease 2024 Golden – Release 2024 SP1
dassault_syst_mesdelmia_aprisoRelease 2025 Golden – Release 2025 SP1

Detection & IOCsextracted from sources · hover to see the quote

url/Apriso/MessageProcessor/FlexNetMessageProcessor.svc
otherhttp://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2
otherProcessMessageASync_v2Response
  • Monitor for unauthenticated POST requests to the FlexNetMessageProcessor WCF service endpoint with SOAPAction targeting ProcessMessageASync_v2, which is the attack vector for this missing authorization vulnerability.
  • A successful exploit response will contain 'ProcessMessageASync_v2Response' and '<b:boolean>true</b:boolean>' in the HTTP response body, indicating a privileged user account was created.
  • The exploit payload creates a new privileged user with role 'Production User' and assigns them to group 'C1P1' via the message processor endpoint — hunt for unexpected new user accounts with these attributes.
  • Use Shodan query 'title:"DELMIA Apriso"' to identify internet-exposed instances of the vulnerable application for asset discovery and attack surface reduction.
  • ·The exploit requires no special pre-conditions or authentication — any network-reachable instance of DELMIA Apriso (Release 2020 through Release 2025) is vulnerable to unauthenticated privileged account creation.
  • ·The Nuclei PoC template uses hardcoded credentials (username: 'LAST', password: '9') and is marked 'intrusive' — the template itself creates a real privileged account on the target system during detection.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.