CISA Adds New Vulnerabilities for DELMIA Apriso to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two vulnerabilities related to DELMIA Apriso in its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities identified as CVE-2025-6204 and CVE-2025-6205 enhance the agency’s ongoing efforts to monitor and mitigate risks associated with industrial control systems (ICS) and operational technology (OT).
Overview of DELMIA Apriso and its Significance
DELMIA Apriso, developed by Dassault Systèmes, is a robust manufacturing operations management (MOM) and manufacturing execution system (MES) essential for managing production processes. This software plays a critical role in linking factory operations with enterprise resource planning (ERP) systems, allowing businesses to streamline their manufacturing efficiency and decision-making processes. Notably, while CISA’s recent updates focus on vulnerabilities in DELMIA Apriso, it’s important to acknowledge that IT vulnerabilities frequently manifest within ICS/OT environments as well.
Recent Vulnerabilities in Context
The latest vulnerabilities included in the KEV catalog follow the addition of CVE-2025-5086 last month, which marked a significant return of ICS/OT vulnerabilities since the last addition in December 2023. These updates reflect the evolving threat landscape in manufacturing cybersecurity, as large-scale software systems such as DELMIA Apriso can harbor vulnerabilities, unlike smaller Internet of Things (IoT) devices which are often the primary focus in this domain.
Johannes Ullrich, founder of the SANS Internet Storm Center and Dean of Research for SANS Technology Institute, emphasized that DELMIA Apriso is a significant software solution that integrates various manufacturing aspects. He noted, “Complex systems like this have bugs, too,” highlighting the critical nature of vigilance in maintaining cybersecurity.
Details on CVE-2025-6204 and CVE-2025-6205
The two newly added vulnerabilities to the KEV catalog pose serious risks. CVE-2025-6205 stands out with a severity rating of 9.1, categorized as a Missing Authorization vulnerability that affects releases from 2020 to 2025. This vulnerability might enable an adversary to gain unauthorized access to the DELMIA Apriso application.
On the other hand, CVE-2025-6204 is rated at 8.0 and relates to an Improper Control of Generation of Code, commonly known as a Code Injection vulnerability. It too impacts the same range of releases and poses the risk of arbitrary code execution by an external attacker.
Impact and Urgency for Remediation
CISA’s guidance indicates that such vulnerabilities are often targeted by malicious cyber actors due to their significant risks to federal and commercial entities alike. In light of these risks, CISA has mandated that federal civilian agencies address and patch these vulnerabilities by November 18. This immediate action underscores the urgency for organizations utilizing DELMIA Apriso to enhance their security measures.
Previous Vulnerabilities and Their Implications
CVE-2025-5086, previously registered in September, shared similar characteristics with the new entries, receiving a severity rating of 9.0 due to its Deserialization of Untrusted Data vulnerability, enabling potential remote code execution. This vulnerability also affects the same range of releases and was first published in June 2025. The attention to these vulnerabilities illustrates a broader trend within the cybersecurity landscape, as organizations increasingly recognize the need to protect their vital infrastructure.
Concluding Thoughts on ICS/OT Security
Prior to the attention on DELMIA Apriso, the KEV catalog included earlier vulnerabilities such as CVE-2023-6448. This 9.8-rated Insecure Default Password vulnerability affected Unitronics VisiLogic prior to version 9.9.00, highlighting the continual vulnerabilities within ICS and OT sectors. The upward trend in highlighting such vulnerabilities signifies an urgent need for manufacturers to prioritize cybersecurity in their operational strategies.
