CISA Alert: Active Exploits Target Dassault DELMIA Apriso and XWiki in 2025
Executive Summary
In October 2025, cybersecurity authorities including CISA confirmed active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki platforms. Threat actors leveraged flaws such as CVE-2025-6204—an 8.0 CVSS code injection bug—to gain unauthorized access and potential code execution on affected systems. The attackers exploited unpatched systems to facilitate lateral movement, data exfiltration, and possible disruption of manufacturing and enterprise workflows. Affected organizations faced immediate operational risk and the prospect of sensitive information compromise.
This incident highlights a growing trend in rapid exploitation of recently disclosed enterprise software vulnerabilities. With increased attacker focus on supply chain and collaborative platforms, organizations must respond swiftly to new advisories and prioritize vulnerability management programs to reduce exposure to high-severity threats.
Why This Matters Now
Attackers are exploiting new vulnerabilities within days of disclosure, specifically targeting widely-used business platforms. This urgency forces security teams to accelerate patch cycles and reinforces the importance of layered defenses. Delaying remediation even briefly now exposes businesses to operational and reputational threats.
Attack Path Analysis
Attackers exploited a code injection vulnerability in internet-facing Dassault Systèmes DELMIA Apriso and XWiki instances to gain remote initial access. Once inside, they likely sought ways to escalate privileges, possibly abusing misconfigurations or weak controls to expand access. The adversaries then attempted lateral movement within the cloud and hybrid workloads to compromise additional assets. Establishing command and control channels, they used covert mechanisms to maintain remote access and issue instructions. Sensitive data may have been exfiltrated over network channels, potentially bypassing weak egress security. The attackers' final actions could have included data corruption, ransomware deployment, or operational disruption.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited a public code injection flaw in DELMIA Apriso and XWiki to obtain initial foothold on cloud-exposed workloads.
Related CVEs
CVE-2025-6204
CVSS 8An improper control of code generation vulnerability in DELMIA Apriso from Release 2020 through Release 2025 allows an attacker to execute arbitrary code.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wildCVE-2025-6205
CVSS 9.1A missing authorization vulnerability in DELMIA Apriso from Release 2020 through Release 2025 allows an attacker to gain privileged access to the application.
Affected Products:
Dassault Systèmes DELMIA Apriso – Release 2020 through Release 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Server Software Component
Exploitation for Privilege Escalation
Exploitation for Defense Evasion
OS Credential Dumping
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Common Coding Vulnerabilities
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Continuous Vulnerability Management
Control ID: Application Workload: Continuous Vulnerability Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Dassault DELMIA Apriso code injection exploits directly threaten manufacturing operations, requiring immediate zero trust segmentation and inline IPS deployment for production systems.
Aviation/Aerospace
Critical manufacturing software vulnerabilities expose aerospace production lines to lateral movement attacks, demanding enhanced east-west traffic security and threat detection capabilities.
Defense/Space
Active exploitation of industrial control systems creates significant national security risks, necessitating encrypted traffic protection and multicloud visibility for defense manufacturing.
Industrial Automation
Code injection vulnerabilities in DELMIA Apriso directly compromise automated manufacturing processes, requiring immediate egress security and anomaly response implementation across operations.
Sources
- Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attackhttps://thehackernews.com/2025/10/active-exploits-hit-dassault-and-xwiki.htmlVerified
- CVE-2025-6204 | Dassault Systèmeshttps://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204Verified
- CVE-2025-6205 | Dassault Systèmeshttps://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205Verified
- CISA Warns of Dassault Systèmes Vulnerabilities Actively Exploited in Attackshttps://cybersecuritynews.com/cisa-dassault-systemes-vulnerabilities/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, East-West Traffic Security, Egress Policy Enforcement, Threat Detection, and Inline IPS at the network layer would have contained the attack, limited lateral spread, and detected or blocked malicious behavior at each stage of the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Blocked inbound exploitation attempts targeting vulnerable services.
Control: Zero Trust Segmentation
Mitigation: Limited privilege escalation to isolated workloads.
Control: East-West Traffic Security
Mitigation: Detected and prevented unauthorized workload-to-workload movement.
Control: Inline IPS (Suricata)
Mitigation: Identified and blocked known C2 traffic and malicious payloads.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data exfiltration over network.
Enabled rapid detection and response to suspicious impact activities.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Supply Chain Management
- Production Planning
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of proprietary manufacturing data, including production schedules and supply chain information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement cloud firewalls and strict inbound policy controls to block exploitation of exposed services.
- • Enforce Zero Trust Segmentation and least-privilege access to isolate workloads and confine attacker movement.
- • Deploy granular east-west traffic inspection and policy enforcement to rapidly detect lateral movement attempts.
- • Apply comprehensive egress filtering policies and intrinsic IPS for early detection and prevention of command and control or exfiltration activity.
- • Continuously monitor, baseline, and automate incident response to accelerate containment of suspicious or destructive behaviors.
