Iis

CISA confirmed active exploitation of two more DELMIA Apriso vulnerabilities and added them to the Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Federal agencies have three weeks under BOD 22-01; the remediation due date cited is November 18, 2025. (BleepingComputer). (bleepingcomputer.com)

DELMIA Apriso is a manufacturing operations/MES platform commonly deployed on Windows with IIS and a backend database. Vendor advisories state both CVEs affect releases 2020 through 2025, with the missing authorization bug enabling privileged access and the code injection bug enabling arbitrary code execution under specific conditions. (Dassault Systèmes CVE-2025-6205, CVE-2025-6204; NVD 6205, NVD 6204). (3ds.com)

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in-process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off-the-shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)