Menace actors are actively exploiting a number of security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, in response to alerts issued by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) and VulnCheck.
The vulnerabilities are listed under –
- CVE-2025-6204 (CVSS rating: 8.0) – A code injection vulnerability in Dassault Systèmes DELMIA Apriso that would enable an attacker to execute arbitrary code.
- CVE-2025-6205 (CVSS rating: 9.1) – A lacking authorization vulnerability in Dassault Systèmes DELMIA Apriso that would enable an attacker to realize privileged entry to the applying.
- CVE-2025-24893 (CVSS rating: 9.8) – An improper neutralization of enter in a dynamic analysis name (aka eval injection) in XWiki that would enable any visitor consumer to carry out arbitrary distant code execution by way of a request to the “/bin/get/Most important/SolrSearch” endpoint.
Each CVE-2025-6204 and CVE-2025-6205 have an effect on DELMIA Apriso variations from Launch 2020 by way of Launch 2025. They have been addressed by Dassault Systèmes in early August.
Curiously, the addition of the 2 shortcomings to the Recognized Exploited Vulnerabilities (KEV) catalog comes slightly over a month after CISA flagged the exploitation of one other important flaw in the identical product (CVE-2025-5086, CVSS rating: 9.0), per week after the SANS Web Storm Heart detected in-the-wild makes an attempt. It is at present not identified if these efforts are associated.
VulnCheck, which detected exploitation makes an attempt focusing on CVE-2025-24893, mentioned the vulnerability is being abused as a part of a two-stage assault chain that delivers a cryptocurrency miner. In accordance with CrowdSec and Cyble, the vulnerability is claimed to have been weaponized in real-world assaults way back to March 2025.
“We noticed a number of exploit makes an attempt in opposition to our XWiki canaries coming from an attacker geolocated in Vietnam,” VulnCheck’s Jacob Baines mentioned. “The exploitation proceeds in a two-pass workflow separated by no less than 20 minutes: the primary move phases a downloader (writes a file to disk), and the second move later executes it.”
The payload makes use of wget to retrieve a downloader (“x640”) from “193.32.208[.]24:8080” and write it to the “/tmp/11909” location. The downloader, in flip, runs shell instructions to fetch two extra payloads from the identical server –
- x521, which fetches the cryptocurrency miner situated at “193.32.208[.]24:8080/rDuiQRKhs5/tcrond”
- x522, which kills competing miners akin to XMRig and Kinsing, and launches the miner with a c3pool.org configuration
The assault visitors, per VulnCheck, originates from an IP tackle that geolocates to Vietnam (“123.25.249[.]88”) and has been flagged as malicious in AbuseIPDB for partaking in brute-force makes an attempt as lately as October 26, 2025.
In mild of lively exploitation, customers are suggested to use the required updates as quickly as attainable to safeguard in opposition to threats. A number of Civilian Government Department (FCEB) companies are required to remediate the DELMIA Apriso flaws by November 18, 2025.
