The US cybersecurity agency CISA issued a warning on Tuesday that two recent vulnerabilities in DELMIA Apriso factory software are actively being exploited in attacks.
Targeted Factory Software
DELMIA Apriso, a manufacturing operations management (MOM) and manufacturing execution system (MES) software made by the French company Dassault Systèmes, manages the entire manufacturing process.
The two exploited flaws are tracked as CVE-2025-6204 (CVSS score of 8.0) and CVE-2025-6205 (CVSS score of 9.1). They affect DELMIA Apriso from release 2020 through release 2025.
CVE-2025-6204 is a code injection bug that allows attackers to execute arbitrary code. CVE-2025-6205 is a missing authorization issue that can be exploited to gain privileged access to the application.
Attack Chain Details
According to ProjectDiscovery, these two security defects can be chained together. Attackers first exploit the flaws to create accounts with elevated privileges, and then use those accounts to place executable files into a web served directory.
The product exposes a SOAP based message processor endpoint that accepts XML payloads for bulk employee provisioning. Attackers can send unauthenticated requests to this SOAP message processor to create an arbitrary account and assign it high privileges. Next, they authenticate as the newly created user and drop executables, such as webshells, into the server’s web root.
Dassault Systèmes released patches and barebone advisories for the vulnerabilities on August 4. CISA has now added both issues to its Known Exploited Vulnerabilities (KEV) list, confirming that the flaws are being actively used in the wild.
Required Action
Due to a federal mandate, all US federal agencies must patch these flaws within three weeks. While this mandate applies specifically to federal agencies, all organizations should review CISA’s KEV list and immediately apply patches and mitigations for the security defects listed there.
Organizations should also take immediate steps to hunt for potential compromise through vulnerable DELMIA Apriso deployments. This involves checking for newly created privileged accounts and scanning directories for unauthorized executables like webshells.
This is the second recent vulnerability flagged in this software, as CISA warned last month about threat actors exploiting another DELMIA Apriso flaw, CVE-2025-5086, which could lead to remote code execution.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
