CVE-2025-6204

What is Dassault Systèmes DELMIA Apriso?

DELMIA Apriso is a Manufacturing Execution System (MES) used in automotive, aerospace, high-tech, and life sciences manufacturing to coordinate factory-floor operations, production planning, and quality management. See CVE-2025-6205 for the full product context on DELMIA Apriso's role in industrial/OT environments.

Overview

CVE-2025-6204 is a code injection vulnerability (CWE-94) in Dassault Systèmes DELMIA Apriso that is the second step in a two-CVE attack chain. An authenticated "Production User" role account can upload a malicious file to a web-served directory, achieving remote code execution on the Apriso application server. When chained with companion CVE-2025-6205 (missing authorization — unauthenticated creation of a Production User account via SOAP), the two CVEs together enable fully unauthenticated remote code execution against any internet-accessible DELMIA Apriso instance. CISA added both CVEs simultaneously to the KEV catalog on October 28, 2025.

Affected Versions

Technical Details

The code injection (CWE-94) is triggered through Apriso's file upload functionality accessible to authenticated "Production User" role accounts. The file upload endpoint does not sufficiently restrict file type or content — an authenticated user can upload a file with server-side executable content (e.g., a JSP, ASPX, or script file) to a web-accessible directory. When the web server subsequently serves and processes the uploaded file, the attacker's code executes in the context of the Apriso web application server.

Two-CVE unauthenticated RCE chain:

1. CVE-2025-6205 (Step 1, CVSS 9.1): Unauthenticated SOAP request creates a "Production User" account — no credentials required
2. CVE-2025-6204 (Step 2, this CVE, CVSS 8.0): Use the newly created Production User account to upload a malicious file → RCE on the Apriso server

The High privilege requirement (PR:H) in this CVE's standalone CVSS score reflects that Production User privileges are needed — but CVE-2025-6205 creates those for free, making the effective combined CVSS impact much higher.

The Changed scope (S:C) reflects that the web application's compromise extends beyond the immediate application context to the underlying OS and potentially OT-connected systems.

Discovery

Discovery not publicly attributed. CISA confirmed active exploitation before the KEV listing.

Exploitation Context

CISA added CVE-2025-6204 and CVE-2025-6205 to the KEV catalog simultaneously on October 28, 2025, confirming the chained attack was actively exploited. The ICS/manufacturing context — Apriso bridges enterprise IT and factory-floor OT — makes this high-stakes: post-exploitation access can extend to production line controls and quality management systems. See CVE-2025-6205 for the ICS/OT targeting context.

Remediation

1. Apply Dassault patches immediately for both CVE-2025-6204 and CVE-2025-6205 — both must be patched to prevent the full unauthenticated RCE chain. The CISA deadline was November 18, 2025.
2. Patch CVE-2025-6205 first — eliminating the ability to create unauthenticated Production User accounts also prevents the file upload step of this CVE from being reachable via the chain.
3. Audit uploaded files in Apriso web-accessible directories for any unexpected JSP, ASPX, or script files that could represent webshells.
4. Audit Production User accounts created after August 4, 2025 for any without corresponding legitimate provisioning records.
5. Restrict network access to Apriso — restrict to internal networks only; no direct internet exposure.
6. See CVE-2025-6205 for additional ICS/OT-specific remediation guidance.