Article Details

Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack. Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and VulnCheck. The vulnerabilities are listed below - Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 2025. They were addressed by Dassault Systèmes in early August. Interestingly, the addition of the two shortcomings to the Known Exploited Vulnerabilities (KEV) catalog comes a little over a month after CISA flagged the exploitation of another critical flaw in the same product (CVE-2025-5086, CVSS score: 9.0), a week after the SANS Internet Storm Center detected in-the-wild attempts. It's currently not known if these efforts are related. VulnCheck, which detected exploitation attempts targeting CVE-2025-24893, said the vulnerability is being abused as part of a two-stage attack chain that delivers a cryptocurrency miner. According to CrowdSec and Cyble, the vulnerability is said to have been weaponized in real-world attacks as far back as March 2025. "We observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam," VulnCheck's Jacob Baines said. "The exploitation proceeds in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader (writes a file to disk), and the second pass later executes it." The payload uses wget to retrieve a downloader ("x640") from "193.32.208[.]24:8080" and write it to the "/tmp/11909" location. The downloader, in turn, runs shell commands to fetch two additional payloads from the same server - The attack traffic, per VulnCheck, originates from an IP address that geolocates to Vietnam ("123.25.249[.]88") and has been flagged as malicious in AbuseIPDB for engaging in brute-force attempts as recently as October 26, 2025. In light of active exploitation, users are advised to apply the necessary updates as soon as possible to safeguard against threats. Several Civilian Executive Branch (FCEB) agencies are required to remediate the DELMIA Apriso flaws by November 18, 2025.