Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The US cyber agency warns of active exploitation of flaws that could lead to full application compromise of a popular manufacturing operations management platform.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Dassault Systèmes’ DELMIA Apriso manufacturing operations management platform to its Known Exploited Vulnerabilities Catalog, confirming that hackers are already on the warpath.
CVE-2025-6204 is a code injection vulnerability, while CVE-2025-6205 is a missing authorisation vulnerability that could lead to an attacker gaining privileged access to the platform.
While worrying by themselves, the pair of vulnerabilities can be chained together, according to researchers Rahul Maini, Harsh Jaiswal, and Parth Malhotra.
“DELMIA Apriso is a manufacturing execution and operations orchestration platform used by large manufacturers, service providers, and critical infrastructure operators. Because the product exposes multiple integration points (SOAP, file uploads, provisioning feeds) that are often reachable from internal networks, we performed a focused black-box assessment to surface integration and surface-area weaknesses,” the trio said in a 24 September Project Discovery blog post.
“Our testing uncovered two chained, high-impact issues: an unauthenticated SOAP provisioning endpoint that can create accounts with elevated roles, and an upload handler that fails to canonicalise filenames, allowing authenticated users to drop executable files into a web-served directory. Together, these lead to full application compromise and were assigned CVE-2025-6204 and CVE-2025-6205.”
The vulnerabilities impact Release 2020 through Release 2025 of DELMIA Apriso. CVE-2025-6204 has a CVSS score of 8.0, rating it as high severity, while CVE-2025-6205 is rated a critical severity vulnerability, with a CVSS score of 9.1.
The issues were first reported to 3DS Security in May 2025, and the two CVEs were assigned in August.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
