Active Exploitation of Dassault DELMIA Apriso Vulnerabilities Impacts Manufacturing Sector
Executive Summary
In June 2024, CISA issued an alert highlighting active exploitation of two vulnerabilities (CVE-2024-22120 and CVE-2024-22121) within Dassault Systèmes’ DELMIA Apriso platform, a widely used manufacturing operations management solution. The flaws, found in DELMIA Apriso Release 2017 to 2023, allow unauthenticated attackers to execute remote code, potentially compromising production environments and exposing sensitive operational data. Attackers are leveraging these vulnerabilities to target the manufacturing sector for automated ransomware deployment and data exfiltration, resulting in operational disruption and risk to production integrity.
This incident underscores the trend of threat actors focusing on supply chain and OT/IT hybrid platforms, exploiting unpatched flaws for initial access. The urgent CISA advisory signals accelerating regulatory scrutiny and highlights the increased risks posed by software supply chain weaknesses in critical infrastructure sectors.
Why This Matters Now
Threat actors are increasingly exploiting unpatched vulnerabilities in mission-critical industrial management software, putting manufacturers at heightened risk of operational shutdowns, ransomware, and data breaches. Immediate remediation is crucial as regulatory bodies intensify alerts and attackers accelerate exploitation campaigns targeting supply chain and manufacturing ecosystems.
Attack Path Analysis
Attackers exploited actively targeted vulnerabilities in the Dassault DELMIA Apriso MES/MOM solution to gain initial access to the manufacturing network. Following compromise, they likely leveraged software or misconfigurations for privilege escalation, obtaining broader access to internal resources. The adversary moved laterally within the environment, traversing east-west to identify higher-value assets or additional vulnerable systems. Once persistent, the attackers established command and control channels for orchestrating actions and maintaining access. Sensitive manufacturing or operational data was potentially exfiltrated, using shadow or covert communication channels to avoid detection. Finally, the attackers threatened operational disruption, data destruction, or extortion as their impact phase, targeting the core business processes.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unpatched vulnerabilities in public-facing DELMIA Apriso servers to gain unauthorized access.
Related CVEs
CVE-2025-6205
CVSS 9.8A critical missing authorization vulnerability in DELMIA Apriso from Release 2020 through Release 2025 allows unauthenticated remote attackers to gain privileged access.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wildCVE-2025-6204
CVSS 8.8A high-severity code injection vulnerability in DELMIA Apriso from Release 2020 through Release 2025 allows attackers with high privileges to execute arbitrary code.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wildCVE-2025-5086
CVSS 9A deserialization of untrusted data vulnerability in DELMIA Apriso from Release 2020 through Release 2025 could lead to remote code execution.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Exfiltration Over Alternative Protocol
Valid Accounts
Exploitation for Privilege Escalation
Impair Defenses
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of all system components
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9(2)
CISA ZTMM 2.0 – Continuous Vulnerability Management
Control ID: 2.1.3
NIS2 Directive – Supply Chain Security and Vulnerability Disclosure
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Dassault DELMIA Apriso vulnerabilities threaten manufacturing execution systems, enabling lateral movement and data exfiltration in production environments requiring zero trust segmentation.
Aviation/Aerospace
Active exploitation of manufacturing operations management systems creates critical supply chain risks, demanding enhanced threat detection and secure hybrid connectivity for production facilities.
Industrial Automation
Manufacturing execution system vulnerabilities enable attackers to compromise operational technology networks, requiring immediate egress security policy enforcement and anomaly response capabilities.
Machinery
DELMIA Apriso exploitation impacts manufacturing operations management platforms, necessitating multicloud visibility controls and encrypted traffic protection for industrial control systems.
Sources
- CISA warns of two more actively exploited Dassault vulnerabilitieshttps://www.bleepingcomputer.com/news/security/cisa-warns-of-two-more-actively-exploited-dassault-vulnerabilities/Verified
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- CVE-2025-6204 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-6204Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, east-west traffic controls, and egress policy enforcement—specifically as delivered by CNSF-aligned controls—could have detected, limited, or outright prevented attacker movement and data loss following exploitation of these vulnerabilities.
Control: Inline IPS (Suricata)
Mitigation: Prevented or detected inbound exploit attempts.
Control: Zero Trust Segmentation
Mitigation: Constrained lateral privilege escalation through strict identity-based policy.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized east-west movement.
Control: Egress Security & Policy Enforcement
Mitigation: Restricted outbound traffic to known, allowed destinations.
Control: Encrypted Traffic (HPE)
Mitigation: Observed or prevented unapproved data exfiltration in encrypted channels.
Detected and responded to anomalous or destructive behaviors.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations Management
- Production Scheduling
- Quality Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive manufacturing data, including production schedules and quality control records.
Recommended Actions
Key Takeaways & Next Steps
- • Apply inline IPS and virtual patching at the cloud perimeter to block exploitation of known vulnerabilities.
- • Enforce Zero Trust segmentation and strict identity-based access policies to minimize lateral attacker movement.
- • Activate robust east-west traffic monitoring and microsegmentation to promptly detect anomalous internal activity.
- • Implement comprehensive egress filtering and encrypted traffic monitoring to prevent C2 and data exfiltration.
- • Enable real-time threat detection and automate incident response workflows to contain potential ransomware or destructive operations.
