Overview

In October 2025, the Cybersecurity & Infrastructure Security Agency (CISA) issued a warning that two serious vulnerabilities in Dassault Systèmes’ DELMIA Apriso manufacturing-operations platform are being actively exploited in the wild. The two vulnerabilities are:

CVE-2025-6205 – a missing-authorization flaw (critical severity) that allows unauthenticated attackers to gain privileged access.

CVE-2025-6204 – a code-injection vulnerability (high severity) that allows attackers to execute arbitrary code on affected systems.

According to Dassault’s advisory, these flaws affect DELMIA Apriso versions from Release 2020 through Release 2025. The vendor issued patches in early August 2025, and CISA added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog - meaning exploitation is confirmed in real-world attacks. Because DELMIA Apriso is used for manufacturing operations management (MOM) and manufacturing execution systems (MES), these vulnerabilities pose a serious risk to production continuity, quality assurance, and supply-chain integrity.

How It Works

DELMIA Apriso integrates manufacturing and supply-chain functions — including plant-floor execution, logistics, production scheduling, and quality tracking - and is often tightly linked with ERP and OT networks. A compromise here can lead to direct operational disruption.

CVE-2025-6205 (Missing Authorization): This flaw (CWE-862) allows unauthenticated attackers to bypass authorization mechanisms and obtain privileged access remotely. Network-exposed instances are at particular risk.

CVE-2025-6204 (Code Injection): Once access is gained, attackers can inject and execute arbitrary code within the Apriso environment, effectively taking control of the application server. The flaw can be used to deploy malware, alter production workflows, or exfiltrate sensitive data.

The two vulnerabilities can be chained: exploitation of the missing authorization flaw (6205) grants admin-level access, followed by exploitation of the code-injection flaw (6204) to execute payloads or deploy persistence mechanisms. This sequence allows adversaries to escalate from simple remote access to full system compromise, potentially reaching connected ERP or OT layers.

Risks

The risks extend beyond traditional IT compromise. Because Apriso operates within manufacturing environments, successful exploitation could result in production downtime, data integrity issues, and even physical process manipulation. Attackers could alter scheduling, modify quality control parameters, or falsify traceability data - all of which have real-world financial and safety implications.

Privilege escalation and lateral movement are also significant concerns. Once attackers control an Apriso instance, they can pivot into broader enterprise or plant networks, accessing systems that control production or logistics processes. Arbitrary code execution provides the ability to install backdoors, disrupt automation flows, and tamper with system logic. In critical industries like aerospace and automotive, such interference could breach compliance and safety standards.

Recommendations

For organisations running DELMIA Apriso or similar MOM/MES systems, swift remediation is critical. Recommended actions include:

• Identify and assess exposure. Locate all Apriso instances (Releases 2020–2025) and verify if they are externally accessible or integrated into sensitive OT networks.
• Apply vendor patches immediately. Dassault Systèmes released fixes in August 2025. Unpatched systems are known to be under active attack.
• Restrict access. Remove public exposure of Apriso web interfaces. Enforce VPN and MFA for remote administration. Segment Apriso systems in hardened zones.
• Enhance monitoring. Enable full logging, track creation of new privileged accounts, and look for unusual service calls or file uploads.
• Review incident response and backups. Ensure reliable recovery mechanisms for manufacturing data and configurations in case of compromise.
• Engage vendors and partners. Verify that supply-chain and third-party integrators using Apriso are aware of and have remediated the vulnerabilities.

Even if your environment does not directly include Apriso, this incident illustrates a broader lesson: manufacturing and operational-technology systems increasingly intersect with IT networks, and vulnerabilities here can bridge cyber and physical risk.