CISA adds two more DELMIA Apriso flaws to KEV: what to hunt and how to fix fast

CISA confirmed active exploitation of two more DELMIA Apriso vulnerabilities and added them to the Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Federal agencies have three weeks under BOD 22-01; the remediation due date cited is November 18, 2025. (BleepingComputer). (bleepingcomputer.com)

DELMIA Apriso is a manufacturing operations/MES platform commonly deployed on Windows with IIS and a backend database. Vendor advisories state both CVEs affect releases 2020 through 2025, with the missing authorization bug enabling privileged access and the code injection bug enabling arbitrary code execution under specific conditions. (Dassault Systèmes CVE-2025-6205, CVE-2025-6204; NVD 6205, NVD 6204). (3ds.com)

Here’s why this matters for forensics: Apriso’s web tier runs on IIS, and prior in-the-wild activity against Apriso leveraged SOAP/WCF endpoints in the application (for CVE-2025-5086), giving us concrete URL and payload patterns to hunt. (SANS ISC diary showing Apriso exploit POSTs to /apriso/WebServices/FlexNetOperationsService.svc/Invoke). (isc.sans.edu)

Intrusion Flow

• Initial access paths we expect:
  • CVE-2025-6205: unauthenticated requests gaining privileged application access (pre-auth). (Vendor CVE page, NVD summary). (3ds.com)
  • CVE-2025-6204: code injection that requires high privileges; feasible as a second stage after gaining elevated access (post-auth). (Vendor CVE page, NVD summary). (3ds.com)
• Likely target surface: Apriso IIS web apps and WCF/SOAP services under /Apriso/… (mirroring the previously observed CVE-2025-5086 patterns against FlexNetOperationsService). (SANS ISC example request). (isc.sans.edu)
• Where CISA stands: additions to KEV mean “active exploitation” (attempted or successful) has been observed, and remediation is required under BOD 22-01 timelines for FCEB agencies. (CISA KEV explainer). (cisa.gov)
• Context: CISA previously added DELMIA Apriso CVE-2025-5086 in September 2025 after observed exploit attempts. (CISA alert, Sept. 11, 2025, SANS ISC diary). (cisa.gov)

Key Artifacts to Pull

• IIS HTTP server logs
  • Default path: %SystemDrive%\inetpub\logs\LogFiles\W3SVC (W3C format). (Microsoft Learn, Azure Monitor note on default path). (learn.microsoft.com)
  • Hunt for:
    • Unauthenticated 200/302 responses to sensitive endpoints immediately after 401/403s.
    • SOAP POSTs to Apriso services like /Apriso/WebServices/FlexNetOperationsService.svc/Invoke with large XML payloads (seen in prior Apriso exploitation). (SANS ISC request example). (isc.sans.edu)
• Apriso application logs
  • Common locations observed in vendor docs and field guidance: C:\Temp\AprisoLogs; logging behavior is controlled via LoggingConfiguration.xml and centralized configuration services. (Apriso install guide excerpt, 3DS community thread referencing C:\temp\AprisoLog\… files, Andea blog on MI logging default path, Apriso docs referencing CentralConfiguration LoggingConfiguration.xml via ConfigurationService.svc). (scribd.com)
• Windows telemetry on the web tier
  • Parent process: IIS worker process w3wp.exe; watch for child process spawns (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe). (Microsoft Learn: IIS worker process is w3wp.exe). (learn.microsoft.com)
• Database audit surfaces
  • SQL Server/Oracle logs for unexpected schema changes, stored procedure execution, or long-running jobs that align with the web-tier timestamps. (Apriso documentation shows reliance on SQL/Oracle backends for features and tooling.) (Apriso GPM requirements referencing SQL/Oracle clients). (nmom-coe.noboauto.com)

Detection Notes

• IIS log hunting (KQL-style over normalized logs)

// Look for large SOAP POSTs to Apriso services and anomalous auth patterns
IISLogs
| where cs_uri_stem has "/Apriso/" and cs_method == "POST"
| where cs_uri_stem has "/WebServices/" or cs_uri_stem has "/Portal/" or cs_uri_stem has ".svc"
| extend isLarge = tolong(cs_bytes) > 20000 or tolong(sc_bytes) > 20000
| where isLarge or cs_uri_stem has "FlexNetOperationsService.svc/Invoke"
| summarize count(), any(cs_username), any(c_ip) by bin(datetime, 15m), cs_uri_stem

• Web-to-process pivot on Windows endpoints (Sysmon Event ID 1)

// w3wp.exe spawning LOLBINs or script interpreters
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName in~ ("cmd.exe","powershell.exe","rundll32.exe","regsvr32.exe","mshta.exe","wmic.exe")

• Privilege anomaly (application logs)
  • Review Apriso auth/role change events around first-seen external IPs or service accounts; anomalous admin role grants following unauthenticated requests can indicate CVE-2025-6205 abuse. (Vendor description: missing authorization enables privileged access). (3ds.com)
• Payload indicators (from prior Apriso exploitation)
  • SOAPAction headers like “IFlexNetOperationsService/Invoke” with base64-like blobs in XML content. (SANS ISC request example). (isc.sans.edu)

Response Guidance

• Patch planning now
  • Apply Dassault’s updates for affected releases 2020-2025; vendor published remediation in early August 2025 for both CVEs. (Vendor CVE pages, CVE-2025-6204; news coverage). (3ds.com)
  • FCEB agencies: track the KEV entry deadline; CISA indicates three-week remediation for new KEV entries under BOD 22-01 (the cited due date for these two is November 18, 2025). (CISA KEV explainer, news date/due date). (cisa.gov)
• Compromise assessment
  • Treat the Apriso web tier as potentially compromised if you find indicators; collect IIS logs, Apriso logs (C:\Temp\AprisoLogs\ and any override paths in LoggingConfiguration.xml), Windows Event Logs, and EDR telemetry before patching. (IIS default log paths, Apriso logging references, install guide excerpt). (learn.microsoft.com)
  • If child-process execution from w3wp.exe is observed, isolate, rotate credentials (service accounts, DB users, integration secrets), and rebuild the web tier from a known-good baseline. (Microsoft Learn: w3wp is IIS worker process). (learn.microsoft.com)
• Exposure management
  • If Apriso endpoints are internet-exposed, restrict to VPN or IP allowlists and enforce TLS with modern cipher suites while patching proceeds. Align with your enterprise exception process if OT change windows are constrained, but do not leave KEV-listed products unmitigated. (CISA KEV program intent and criteria). (cisa.gov)

Here’s what we’d pull first

• From the Apriso server(s):
  • %SystemDrive%\inetpub\logs\LogFiles\W3SVC* (and any reverse proxy/WAF logs in front). (Microsoft default path). (learn.microsoft.com)
  • C:\Temp\AprisoLogs\ and any path referenced by LoggingConfiguration.xml; capture the entire folder. (Install guide excerpt). (scribd.com)
  • Windows Event Logs (Application, System, Security), plus EDR process trees around w3wp.exe. (Microsoft Learn: w3wp is IIS worker process). (learn.microsoft.com)
• From the database tier:
  • SQL Server error log and default trace, recent job history (SQL Agent), and Apriso schema modification timestamps that correlate to web-tier anomalies. (Apriso documentation references SQL/Oracle backends for operations and tooling.) (GPM requirements). (nmom-coe.noboauto.com)

Takeaways

• Prioritize patching Apriso to the fixed August 2025 levels for CVE-2025-6205 and CVE-2025-6204; these are confirmed as exploited in the wild. (Vendor CVEs, CVE-2025-6204, KEV news). (3ds.com)
• Hunt IIS logs for suspicious Apriso service calls (notably large SOAP POSTs under /Apriso/WebServices/… and anomalous auth patterns), and review Apriso application logs in C:\Temp\AprisoLogs\ (or your configured path). (SANS request example, IIS default, Apriso logging references). (isc.sans.edu)
• Alert on w3wp.exe spawning script interpreters or LOLBINs; if found, assume code execution and rotate credentials. (Microsoft Learn). (learn.microsoft.com)
• FCEB agencies: track the KEV due date (November 18, 2025 for these entries) and close within BOD 22-01 timelines; others should patch with the same urgency. (CISA KEV explainer, news due date). (cisa.gov)