The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two DELMIA Apriso vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Today’s addition of CVE-2025-6204 and CVE-2025-6205 to the KEV catalog follow last month’s addition of CVE-2025-5086 to the CISA database, which was the first addition of an industrial control system (ICS)/operational technology (OT) vulnerability to the exploited vulnerabilities catalog since December 2023. However, IT vulnerabilities added to the KEV catalog often appear in ICS/OT products too. DELMIA Apriso is manufacturing operations management (MOM) and manufacturing execution system (MES) software from Dassault Systèmes that is used to manage production processes and connect factory floors to enterprise resource planning (ERP) systems. In a blog post last month, Johannes Ullrich, SANS Internet Storm Center (ISC) founder and Dean of Research for SANS Technology Institute, said DELMIA Apriso differs from the small IoT devices that are often the focus of manufacturing security in that it is “‘big software’ that is used to manage manufacturing. ... This type of Manufacturing Operation Management (MOM) or Manufacturing Execution System (MES) ties everything together and promises to connect factory floors to ERP systems. But complex systems like this have bugs, too.”

DELMIA Apriso Vulnerabilities CVE-2025-6204 and CVE-2025-6205 Under Attack

CISA typically doesn’t say what threat groups are exploiting vulnerabilities added to the KEV catalog or how they’re being exploited, and CISA’s latest DELMIA Apriso notice only says that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CISA gave federal civilian agencies a deadline of November 18 to patch the vulnerabilities. CVE-2025-6205 is the higher-rated of the two vulnerabilities, a 9.1-severity Missing Authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to gain privileged access to the application. CVE-2025-6204 is an 8.0-rated Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to execute arbitrary code. Both vulnerabilities were initially published in the National Vulnerability Database (NVD) on August 4, 2025. The Dassault Systèmes advisories for CVE-2025-6204 and CVE-2025-6205 include links for customers to access remediation information. CVE-2025-5086, the DELMIA Apriso vulnerability added to the CISA KEV database in September, is a 9.0-rated Deserialization of Untrusted Data vulnerability that also affects Release 2020 through Release 2025 and could lead to remote code execution. That vulnerability was initially published on June 2, 2025. Before CVE-2025-5086, an analysis by The Cyber Express shows that the most recent ICS/OT vulnerability added to the KEV catalog was CVE-2023-6448, a 9.8-severity Insecure Default Password vulnerability in Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs.