Cybersecurity agencies have issued warning about active exploitation of multiple severe vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with threat intelligence firm VulnCheck, has confirmed that attackers are already using these flaws to compromise systems and deploy malicious payloads.
According to CISA’s latest alert, the following vulnerabilities are under active exploitation:
CVE-2025-6204 (CVSS Score: 8.0) – A code injection flaw in Dassault Systèmes DELMIA Apriso that allows attackers to execute arbitrary code remotely.
CVE-2025-6205 (CVSS Score: 9.1) – A missing authorization vulnerability in DELMIA Apriso that can give attackers unauthorized privileged access to the application.
CVE-2025-24893 (CVSS Score: 9.8) – An eval injection vulnerability in XWiki that lets even guest users perform remote code execution (RCE) through a malicious request sent to the “/bin/get/Main/SolrSearch” endpoint.
The first two vulnerabilities (CVE-2025-6204 and CVE-2025-6205) impact DELMIA Apriso versions from Release 2020 through Release 2025. Dassault Systèmes released security patches for these flaws in August 2025, but many organizations appear to have delayed applying them — leaving their systems exposed.
According to researchers Rahul Maini, Harsh Jaiswal, and Parth Malhotra from ProjectDiscovery, the two DELMIA Apriso flaws can be combined in a chain attack to completely compromise affected systems.
Attackers can first exploit the authorization flaw to create admin-level accounts, and then leverage the code injection vulnerability to upload and execute malicious files on the web server. This combination provides full control of the application, including the ability to run arbitrary code, steal data, or pivot deeper into corporate networks.
CISA’s alert also highlights that this is not an isolated incident. Just last month, another vulnerability in the same product — CVE-2025-5086 (CVSS 9.0) — was confirmed to be under attack. The SANS Internet Storm Center had reported in-the-wild exploitation attempts shortly before CISA added it to its Known Exploited Vulnerabilities (KEV) Catalog.
While it’s not yet clear whether the recent attacks are related to the previous campaigns, experts warn that cybercriminals are increasingly targeting industrial and enterprise software like DELMIA Apriso due to its role in manufacturing and supply chain management.
In a separate development, VulnCheck has observed active exploitation of the XWiki eval injection vulnerability (CVE-2025-24893). According to the company’s researcher Jacob Baines, the flaw is being used in a two-stage attack chain designed to deploy a cryptocurrency miner on compromised servers.
The attack begins with an initial HTTP request that drops a downloader onto the target system. After a delay of around 20 minutes, a second request executes the downloader, which retrieves additional payloads from a remote server located at 193.32.208[.]24:8080.
The downloader, named x640, fetches two additional files:
-
x521 – Downloads and installs a cryptocurrency miner hosted at
193.32.208[.]24:8080/rDuiQRKhs5/tcrond. -
x522 – Terminates other mining processes like XMRig and Kinsing, ensuring that only the attacker’s miner runs. It then connects to a c3pool.org mining pool to start mining cryptocurrency.
The malicious activity reportedly originates from an IP address in Vietnam (123.25.249[.]88), which has a recent history of brute-force attacks, as documented in AbuseIPDB as of October 26, 2025.
Further analysis by CrowdSec and Cyble suggests that exploitation of CVE-2025-24893 began as early as March 2025. Attackers have been refining their methods over time, using staged payloads and delayed execution to evade traditional security monitoring systems.
This campaign demonstrates how cybercriminals are using open-source platforms like XWiki as attack vectors to build cryptojacking networks and gain persistent access to enterprise environments.
Given the confirmed active exploitation of these flaws, CISA is urging all organizations, especially those in the Federal Civilian Executive Branch (FCEB) — to apply the available patches immediately. Agencies are required to remediate the DELMIA Apriso vulnerabilities by November 18, 2025, to maintain compliance with federal cybersecurity mandates.
Security teams should:
-
Update all instances of DELMIA Apriso (Releases 2020–2025) to the latest patched versions.
-
Upgrade XWiki installations and apply the vendor’s security fix for CVE-2025-24893.
-
Monitor network logs for connections to suspicious IPs such as
193.32.208[.]24and123.25.249[.]88. -
Implement strict access controls to reduce the risk of privilege escalation.
-
Scan for indicators of compromise (IoCs), especially signs of unauthorized file uploads or crypto mining processes.
The latest findings show that attackers are moving quickly to exploit new vulnerabilities in enterprise and open-source software. Even after vendors release patches, delayed updates continue to expose organizations to data breaches, cryptojacking, and system takeovers.
Interesting Article : Hackers Exploit YouTube: Massive Ghost Network Spreads Malware Through Popular Videos
Pingback: New VMware Vulnerability CVE-2025-41244 Under Active Exploitation