According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and VulnCheck, attackers are actively exploiting multiple security flaws affecting Dassault Systèmes’ DELMIA Apriso and XWiki.
The vulnerabilities are listed below.
CVE-2025-6204 (CVSS score: 8.0) – A code injection vulnerability in Dassault Systèmes DELMIA Apriso could allow an attacker to execute arbitrary code. CVE-2025-6205 (CVSS Score: 9.1) – A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso could allow an attacker to gain privileged access to the application. CVE-2025-24893 (CVSS score: 9.8) – Improper invalidation of input in XWiki’s dynamic evaluation call (aka eval injection) may allow guest users to perform arbitrary remote code execution via a request to the “/bin/get/Main/SolrSearch” endpoint.
CVE-2025-6204 and CVE-2025-6205 both affect DELMIA Apriso versions from Release 2020 to Release 2025. These were addressed by Dassault Systèmes in early August.
Interestingly, these two flaws were added to the Known Exploited Vulnerabilities (KEV) catalog a little more than a month after CISA reported the exploitation of another critical flaw in the same product (CVE-2025-5086, CVSS score: 9.0) and a week after the SANS Internet Storm Center detected the actual attack. It is currently unclear whether these efforts are related.
VulnCheck, which detected the exploitation attempt targeting CVE-2025-24893, stated that the vulnerability is being exploited as part of a two-step attack chain targeting cryptocurrency miners. According to CrowdSec and Cyble, this vulnerability is said to have been weaponized in actual attacks as far back as March 2025.
“We have observed multiple exploitation attempts against our XWiki canaries from attackers located in Vietnam,” said VulnCheck’s Jacob Baines. “The exploit proceeds in a two-pass workflow at least 20 minutes apart. The first pass executes the downloader (writes the file to disk), and then the second pass executes it.”
The payload uses wget to retrieve the downloader (‘x640’) from ‘193.32.208’.[.]24:8080″ and writes it to the “/tmp/11909” location. The downloader then executes a shell command to retrieve two additional payloads from the same server.
x521, get the cryptocurrency miner located at “193.32.208”.[.]24:8080/rDuiQRKhs5/tcrond” x522. Kill competing miners such as XMRig and Kinsing and start miners with c3pool.org configuration.
According to VulnCheck, the attack traffic originates from an IP address (“123.25.249”) located in Vietnam.[.]88″) and has been flagged as malicious by AbuseIPDB for brute force attacks by October 26, 2025.
Given the active exploitation, users are advised to apply necessary updates to protect against threats as soon as possible. Several Civilian Executive Branch (FCEB) agencies have until November 18, 2025 to fix deficiencies in DELMIA Apriso.
Source link
