CVE-2025-6205

What is Dassault Systèmes DELMIA Apriso?

DELMIA Apriso is a Manufacturing Execution System (MES) from Dassault Systèmes, the French industrial software company behind the 3DEXPERIENCE platform (also known for CATIA and SolidWorks). An MES sits at the intersection of enterprise IT and operational technology (OT) — it coordinates factory-floor production processes, tracks work orders, manages quality control, and integrates with PLCs, SCADA systems, and ERP platforms like SAP.

Apriso is deployed across automotive, aerospace, high-tech electronics, and life sciences manufacturing. Because it bridges IT and OT networks, a compromise of the Apriso server can provide an attacker with lateral movement paths into otherwise isolated operational technology environments — making it a high-value ICS/OT target.

Overview

CVE-2025-6205 is a missing authorization vulnerability (CWE-862) in Dassault Systèmes DELMIA Apriso that allows an unauthenticated attacker to create a privileged user account via a crafted SOAP request. On its own, it grants attacker-controlled privileged access to the MES application. When chained with companion vulnerability CVE-2025-6204 (a CVSS 8.0 authenticated file upload flaw), the two-stage attack achieves unauthenticated remote code execution under the web server context. CISA added both vulnerabilities to the KEV catalog simultaneously on October 28, 2025.

Affected Versions

Specific patched build numbers are not publicly disclosed — contact Dassault Systèmes support or reference the security advisory portal for your release.

Technical Details

The vulnerability is a missing authorization check (CWE-862) on a SOAP message processing endpoint. An unauthenticated attacker can send a specially crafted SOAP request that invokes an administrative function to create a new user account with "Production User" role privileges — without supplying credentials.

Two-stage exploitation chain with CVE-2025-6204:

1. CVE-2025-6205 (this CVE): Send an unauthenticated SOAP request to create a new privileged Apriso user account
2. CVE-2025-6204 (CVSS 8.0, authenticated file upload): Use the newly created account credentials to upload a malicious file to a web-served directory, achieving RCE under the web server process context

Combined, the two vulnerabilities produce a full unauthenticated remote code execution chain against any internet-accessible DELMIA Apriso instance. The web server typically runs with access to production databases, quality records, and OT integration bridges.

Key characteristics:

• Step 1 (CVE-2025-6205) is fully unauthenticated, low complexity
• Exploitation of both CVEs is needed for RCE; CVE-2025-6205 alone gives privileged application access
• CVSS availability impact is None for this CVE; the RCE impact comes through the chained CVE-2025-6204

Discovery

Discovery attribution was not publicly provided in the Dassault advisory. CISA assessed that "advanced persistent threat groups or criminal actors" were targeting ICS and manufacturing environments with these vulnerabilities.

Exploitation Context

CISA added CVE-2025-6205 and CVE-2025-6204 to the KEV catalog simultaneously on October 28, 2025, confirming active exploitation in the wild. The ICS/OT context — Apriso bridges enterprise IT and factory-floor operational technology — makes this target set particularly sensitive. Compromise of an MES can provide attackers with visibility into production schedules, quality control processes, and network paths into PLC and SCADA environments.

No specific threat actor has been publicly attributed, but CISA's language around "advanced persistent threat groups" targeting industrial control systems is consistent with nation-state actor interest in manufacturing disruption or espionage.

Remediation

1. Apply Dassault patches immediately — contact Dassault Systèmes support or access your 3DEXPERIENCE platform security portal for patched build details for your Apriso release (2020–2025).
2. Restrict network access to the Apriso server — the SOAP endpoint is exploitable over the network; firewall the Apriso server to allow only known application servers and administrators, not the open internet.
3. Apply the patch for CVE-2025-6204 simultaneously — the two vulnerabilities are a chained attack; both must be patched to prevent RCE.
4. Audit Apriso user accounts — look for unexpected accounts created after August 4, 2025 that match the "Production User" role with no corresponding provisioning ticket.
5. Review file upload directories — check for unexpected files in web-served paths that could be webshells placed via CVE-2025-6204.
6. Assess OT network exposure — if Apriso has integration connections to PLC, SCADA, or DCS systems, review whether those connections could be abused from a compromised Apriso context; consider network segmentation hardening.