The US cybersecurity agency CISA on Tuesday warned that two recent vulnerabilities in DELMIA Apriso factory software have been exploited in attacks.
A manufacturing operations management (MOM) and manufacturing execution system (MES) software made by French company Dassault Systèmes, DELMIA Apriso enables the management of the entire manufacturing process.
The two flaws flagged as exploited are tracked as CVE-2025-6204 (CVSS score of 8.0) and CVE-2025-6205 (CVSS score of 9.1), and affect DELMIA Apriso from release 2020 through release 2025.
CVE-2025-6204 is described as a code injection bug that allows attackers to execute arbitrary code, while CVE-2025-6205 is a missing authorization issue that can be exploited to gain privileged access to the application.
According to ProjectDiscovery, the two security defects can be chained together to create accounts with elevated privileges and then place executable files into a web-served directory.
“The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning. Separately, the product exposes a file upload API used by portal components but that is accessible only post-authentication,” ProjectDiscovery notes.
Attackers can send unauthenticated requests to the SOAP message processor to create an arbitrary account and assign it high privileges. Then, they can authenticate as the newly created user and drop executables into the server’s web root.
Dassault Systèmes released patches and barebone advisories for the two vulnerabilities on August 4, and ProjectDiscovery published technical details on September 23.
Now, CISA says that both issues have been exploited in the wild, by adding them to its Known Exploited Vulnerabilities (KEV) list. As mandated by Binding Operational Directive (BOD) 22-01, federal agencies should patch the flaws within three weeks.
While BOD 22-01 only applies to federal agencies, all organizations should review CISA’s KEV list and apply patches and mitigations for the security defects it describes.
To hunt for potential compromise through vulnerable DELMIA Apriso deployments, organizations should check for newly created privileged accounts and should scan directories for executables such as webshells.
Last month, CISA warned that threat actors have been exploiting another DELMIA Apriso vulnerability, CVE-2025-5086 (CVSS score of 9.0), which could lead to remote code execution.
Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites
Related: QNAP NetBak PC Agent Affected by Recent ASP.NET Core Vulnerability
Related: Lanscope Endpoint Manager Zero-Day Exploited in the Wild
