Dassault Apriso flaws added to CISA list of exploited vulnerabilities

Security pros confirmed Wednesday that teams should pay attention to the three actively exploited security flaws that made news over the past couple of days.

Two of them were added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog — an 8.0 flaw and a critical 9.1 bug in the Dassault Systems DELMIA Apriso manufacturing software suite.

The bug with the lower score — CVE-2025-6204 — was a code injection vulnerability that could let an attacker execute arbitrary code. The critical flaw — CVE-2025-6205 — was a missing authorization bug that could let attackers gain privileged access to the Dassault application.

Jason Soroko, senior fellow at Sectigo, explained that attackers can chain the Apriso pair to create privileged accounts and drop executables in web servers.

“This drives a full compromise scenario that aligns with the KEV signal,” said Soroko.

Soroko said security teams should patch Apriso versions from Release 2020 through Release 2025 using the vendor updates issued in early August and remove any temporary exceptions once complete.

The third flaw reported on the past couple of days was an "improper neutralization of input in a dynamic evaluation call" in XWiki. The bug was discovered by VulnCheck, which said it could let any guest user perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint.

John Carberry, solution sleuth at Xcape, Inc., said while not yet on the KEV list, teams should treat internet-facing XWiki as the second priority: patch/upgrade, limit access, and analyze logs for any unusual query activity.

“For XWiki, activate WAF rules for Groovy/Solr endpoints, review recent admin actions, and block known indicators of crypto-mining activity,” said Carberry. “Assume everything with a confirmed exploit is a zero-day in your environment until proven otherwise.”