The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting two vulnerabilities in Dassault Systèmes’ DELMIA Apriso manufacturing operations solution. The flaws are tracked as CVE-2025-6205, a critical missing-authorization vulnerability that can allow unauthenticated actors to gain privileged access to unpatched installations, and CVE-2025-6204, a high-severity code injection issue that can let attackers with elevated privileges execute arbitrary code.
Dassault Systèmes issued fixes for the two issues in early August 2025 and said the vulnerabilities affect DELMIA Apriso releases from 2020 through 2025. The company published the advisories describing the updates and affected versions on its trust center, including guidance linked from the vendor’s patched notice and a related notice on the flaws.
CISA has added the two vulnerabilities to its Known Exploited Vulnerabilities catalog after flagging them as being exploited in the wild. The agency included the entries in the Known Exploited Vulnerabilities (KEV) Catalog.
Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to secure affected systems within three weeks, with the deadline cited as Nov. 18. CISA noted that the directive applies to U.S. government agencies but urged all IT administrators and network defenders to prioritize patching or apply vendor-provided mitigations as soon as possible.
The agency previously added a critical remote code execution issue, CVE-2025-5086, to the KEV catalog in September. That inclusion followed early signs of exploitation reported by researcher Johannes Ullrich, who documented activity in a post on the SANS Internet Storm Center at isc.sans.edu.
DELMIA Apriso is used globally to manage warehouses, schedule production, allocate resources, manage quality and integrate production equipment with business applications, and is commonly deployed in automotive, electronics, aerospace and industrial machinery divisions where traceability and compliance are important. CISA advised organizations to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.