The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in Dassault Systèmes DELMIA Apriso to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting them in real-world attacks.
The alert, issued on October 28, 2025, mandates that federal agencies apply mitigations by November 18, 2025, and urges all organizations using DELMIA Apriso to act immediately.
What Is DELMIA Apriso?
DELMIA Apriso is a widely used manufacturing operations management platform that helps global enterprises coordinate production, logistics, and quality operations.
Because it sits at the core of manufacturing environments, any compromise can have serious operational and financial consequences.
Active Exploitation in Manufacturing Environments
CISA’s notice highlights two distinct vulnerabilities that have been exploited in active cyber campaigns targeting industrial networks:
CVE-2025-6204 – Code Injection (CWE-94)
This flaw allows attackers to inject and execute arbitrary code on vulnerable systems.
By exploiting it, malicious actors can run unauthorized commands and potentially gain complete control over affected servers or manufacturing endpoints.
CVE-2025-6205 – Missing Authorization (CWE-862)
This vulnerability stems from insufficient authorization controls, allowing attackers to bypass authentication and gain elevated privileges within the DELMIA Apriso application.
When exploited together, these two flaws form a high-risk attack chain enabling adversaries to:
- Infiltrate manufacturing environments
- Manipulate or disrupt production data
- Deploy ransomware or establish long-term persistence within industrial networks
Why CISA’s Warning Matters
CISA’s inclusion of CVE-2025-6204 and CVE-2025-6205 in the KEV catalog confirms that active exploitation is already underway.
While specific incidents haven’t been disclosed, this step signals verified, real-world attacks.
The 21-day remediation window underscores the serious nature of the threat and its potential to disrupt manufacturing and supply chain operations across industries.
Required Actions and Mitigation Steps
CISA requires all federal civilian executive branch agencies to apply vendor patches or mitigations by November 18, 2025.
For cloud-based deployments, organizations should follow Binding Operational Directive (BOD) 22-01 for cloud security compliance.
If patching is not immediately possible, CISA strongly advises discontinuing use of the affected product until secure configurations are implemented.
Recommended Actions for All Organizations
- Apply Adobe/Dassault Systèmes patches immediately for all affected DELMIA Apriso versions.
- Isolate manufacturing networks using segmentation to reduce lateral movement risks.
- Review access logs for suspicious activity or unauthorized privilege escalation.
- Monitor for code injection attempts, unusual network traffic, or unauthorized application access.
- Restrict internet exposure of DELMIA Apriso systems wherever possible.
The Bigger Picture: Securing Industrial Operations
Manufacturing systems have become a prime target for cybercriminals, especially as industrial automation and IoT integration grow.
Vulnerabilities like SessionReaper in Magento and now SessionReaper in industrial contexts underscore the need for continuous monitoring, timely patching, and network segmentation.
Given the confirmed exploitation of DELMIA Apriso vulnerabilities, defenders should assume that scanning and attack attempts are ongoing and act swiftly to secure their environments.
Key Takeaways
- CVE-2025-6204 (code injection) and CVE-2025-6205 (missing authorization) are under active exploitation.
- CISA mandates patching by November 18, 2025.
- Manufacturing and industrial networks are at elevated risk of ransomware and operational disruption.
- Immediate patching, segmentation, and monitoring are essential to protect production systems.
