CISA and VulnCheck have confirmed that active exploitation is targeting several high-severity vulnerabilities across two different platforms: Dassault Systèmes DELMIA Apriso and XWiki. The U.S. government has added the two flaws affecting DELMIA Apriso to its Known Exploited Vulnerabilities (KEV) catalog, signaling that federal agencies and other organizations must immediately patch these risks to protect against ongoing attacks.
The two main flaws in DELMIA Apriso (versions Release 2020 through Release 2025) are CVE-2025-6205, a missing authorization bug rated at a critical CVSS score of 9.1, and CVE-2025-6204, a code injection flaw with a high CVSS score of 8.0. The vendor, Dassault Systèmes, released patches for both of these vulnerabilities in early August.
Security researchers from ProjectDiscovery demonstrated that these two Apriso flaws can be successfully chained together into a devastating exploit. This chain allows an attacker to first create accounts with elevated privileges using the missing authorization vulnerability, and then use the code injection flaw to drop executable files into a web-served directory, ultimately resulting in a full application compromise of the manufacturing operations platform.
The inclusion of these two Apriso flaws in CISA’s KEV catalog follows a similar warning issued only a month earlier concerning a separate critical vulnerability in the same product, CVE-2025-5086 (CVSS 9.0). This suggests an ongoing and focused interest by threat actors in exploiting this specific industrial control system software, though it remains unclear if the different exploitation efforts are related.
Separately, the third major vulnerability under active attack is a critical eval injection flaw in XWiki, identified as CVE-2025-24893 (CVSS 9.8). VulnCheck, which first detected exploitation attempts on October 24, 2025, reports that this vulnerability is being abused in a two-stage attack. This attack chain exploits the flaw to deliver a cryptocurrency miner to affected systems, with evidence from other security firms suggesting the vulnerability has been weaponized since as early as March 2025.
Reference:
