CVE-2025-6205
published 2025-08-04CVE-2025-6205: A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the…
PriorityP195critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-18
Exploited in the wild
EPSS
69.17%
99.3th percentile
A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3ds | delmia_apriso | >= 2020 < 2025 | 2025 |
| dassault_syst_mes | delmia_apriso | Release 2020 Golden – Release 2020 SP4 | — |
| dassault_syst_mes | delmia_apriso | Release 2021 Golden – Release 2021 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2022 Golden – Release 2022 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2023 Golden – Release 2023 SP3 | — |
| dassault_syst_mes | delmia_apriso | Release 2024 Golden – Release 2024 SP1 | — |
| dassault_syst_mes | delmia_apriso | Release 2025 Golden – Release 2025 SP1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the FlexNetMessageProcessor WCF service endpoint with SOAPAction targeting ProcessMessageASync_v2, which is the attack vector for this missing authorization vulnerability. ↗
- →A successful exploit response will contain 'ProcessMessageASync_v2Response' and '<b:boolean>true</b:boolean>' in the HTTP response body, indicating a privileged user account was created. ↗
- →The exploit payload creates a new privileged user with role 'Production User' and assigns them to group 'C1P1' via the message processor endpoint — hunt for unexpected new user accounts with these attributes. ↗
- →Use Shodan query 'title:"DELMIA Apriso"' to identify internet-exposed instances of the vulnerable application for asset discovery and attack surface reduction. ↗
- ·The exploit requires no special pre-conditions or authentication — any network-reachable instance of DELMIA Apriso (Release 2020 through Release 2025) is vulnerable to unauthenticated privileged account creation. ↗
- ·The Nuclei PoC template uses hardcoded credentials (username: 'LAST', password: '9') and is marked 'intrusive' — the template itself creates a real privileged account on the target system during detection. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7pcv-gm7q-mj69: A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access
ghsa_unreviewed·2025-08-04
CVE-2025-6205 [CRITICAL] CWE-862 GHSA-7pcv-gm7q-mj69: A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access
A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
VulnCheck
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
vulncheck·2025·CVSS 9.1
CVE-2025-6205 [CRITICAL] CWE-862 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.
Affected: Dassault Systèmes DELMIA Apriso
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-6205; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-17&host_type=src&vulnerability=cve-2025-6205; https://dashboard.shadowserver.org/statistics/hone
CISA
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
cisa·2025-10-28·CVSS 9.1
CVE-2025-6205 [CRITICAL] CWE-862 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
Vulnerability: Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
Affected: Dassault Systèmes DELMIA Apriso
Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6205
Remediation Due Date: 2025-11-18
No detection rules found.
Nuclei
DELMIA Apriso - Broken Access Control
nuclei·CVSS 9.1
CVE-2025-6205 [CRITICAL] DELMIA Apriso - Broken Access Control
DELMIA Apriso - Broken Access Control
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions.
Template:
id: CVE-2025-6205
info:
name: DELMIA Apriso - Broken Access Control
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: high
description: |
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions.
remediation: |
Apply security patches from DELMIA for Release 2020 through Release 2025 to address missing authorization checks on message
Bleepingcomputer
CISA warns of two more actively exploited Dassault vulnerabilities
blogs_bleepingcomputer·2025-10-28·CVSS 9.0
CVE-2025-6205 [CRITICAL] CISA warns of two more actively exploited Dassault vulnerabilities
## CISA warns of two more actively exploited Dassault vulnerabilities
## Sergiu Gatlan
The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes' DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution.
The first one ( CVE-2025-6205 ) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched application, while the second ( CVE-2025-6204 ) is a high-severity code injection vulnerability that lets attackers with high privileges execute arbitrary code on vulnerable systems.
French company Dassault Systèmes patched the two flaws in early August 2025, when it also confirme
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
2025-08-04
Published
2025-10-28
Added to CISA KEV
Exploited in the wild