Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and VulnCheck.
The vulnerabilities are listed below –
- CVE-2025-6204 (CVSS score: 8.0) – A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code.
- CVE-2025-6205 (CVSS score: 9.1) – A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application.
- CVE-2025-24893 (CVSS score: 9.8) – An improper neutralization of input in a dynamic evaluation call (aka eval injection) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the “/bin/get/Main/SolrSearch” endpoint.
Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 2025. They were addressed by Dassault Systèmes in early August.
Interestingly, the addition of the two shortcomings to the Known Exploited Vulnerabilities (KEV) catalog comes a little over a month after CISA flagged the exploitation of another critical flaw in the same product (CVE-2025-5086, CVSS score: 9.0), a week after the SANS Internet Storm Center detected in-the-wild attempts. It’s currently not known if these efforts are related.
VulnCheck, which detected exploitation attempts targeting CVE-2025-24893, said the vulnerability is being abused as part of a two-stage attack chain that delivers a cryptocurrency miner. According to CrowdSec and Cyble, the vulnerability is said to have been weaponized in real-world attacks as far back as March 2025.
“We observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam,” VulnCheck’s Jacob Baines said. “The exploitation proceeds in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader (writes a file to disk), and the second pass later executes it.”
The payload uses wget to retrieve a downloader (“x640”) from “193.32.208[.]24:8080” and write it to the “/tmp/11909” location. The downloader, in turn, runs shell commands to fetch two additional payloads from the same server –
- x521, which fetches the cryptocurrency miner located at “193.32.208[.]24:8080/rDuiQRKhs5/tcrond”
- x522, which kills competing miners such as XMRig and Kinsing, and launches the miner with a c3pool.org configuration
The attack traffic, per VulnCheck, originates from an IP address that geolocates to Vietnam (“123.25.249[.]88”) and has been flagged as malicious in AbuseIPDB for engaging in brute-force attempts as recently as October 26, 2025.
In light of active exploitation, users are advised to apply the necessary updates as soon as possible to safeguard against threats. Several Civilian Executive Branch (FCEB) agencies are required to remediate the DELMIA Apriso flaws by November 18, 2025.
