CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection
Detects exploitation of CVE-2025-6204, a code injection vulnerability (CWE-94) in Dassault Systèmes DELMIA Apriso. This vulnerability allows attackers to inject and execute arbitrary code through the Apriso application layer. It is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to remote code execution, lateral movement, and full compromise of manufacturing execution system (MES) environments.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Dassault Systèmes
- Product
- DELMIA Apriso
Weakness (CWE)
Timeline
- Disclosed
- October 28, 2025
CVSS
What is CVE-2025-6204 CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection?
CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection (CVE-2025-6204) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, IIS Logs via AMA, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let AprsioPorts = dynamic([80, 443, 8080, 8443]);
let SuspiciousPatterns = dynamic(["eval(", "exec(", "system(", "passthru(", "shell_exec(", "Runtime.exec", "ProcessBuilder", "ScriptEngine", "Invoke-Expression", "cmd.exe", "powershell", "bash -c", "sh -c"]);
union DeviceNetworkEvents, DeviceProcessEvents, W3CIISLog
| where TimeGenerated > ago(24h)
| where (
(Type == "W3CIISLog" and csUriStem contains "Apriso") or
(Type == "DeviceNetworkEvents" and RemotePort in (AprsioPorts)) or
(Type == "DeviceProcessEvents" and InitiatingProcessParentFileName has_any ("w3wp.exe", "java.exe", "tomcat"))
)
| extend RequestPayload = coalesce(csUriQuery, AdditionalFields)
| where RequestPayload has_any (SuspiciousPatterns)
or ProcessCommandLine has_any (SuspiciousPatterns)
| project TimeGenerated, DeviceName, AccountName, RemoteIP, RequestPayload, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName
| summarize EventCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), UniqueIPs=dcount(RemoteIP) by DeviceName, AccountName, InitiatingProcessFileName
| where EventCount > 0Detects code injection exploitation attempts against DELMIA Apriso by correlating IIS/web logs for suspicious payload patterns with child process spawning from Apriso web worker processes.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts executed against Apriso API endpoints by MES administrators
- Automated CI/CD pipelines that deploy or test Apriso configurations using shell commands
- Security scanners and vulnerability assessment tools probing Apriso endpoints
- Legitimate Java or .NET process spawning during scheduled Apriso batch jobs
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection (CVE-2025-6204) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-6204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Apriso Code Injection via HTTP Request with Command Execution Payload
Expected signal: IIS access log entry with POST to /Apriso/GlobalSuite.aspx; Sysmon Event ID 1 showing cmd.exe spawned by w3wp.exe; Windows Security Event ID 4688 for cmd.exe process creation.
- Test 2Web Shell Drop Simulation via Apriso Worker Process
Expected signal: Sysmon Event ID 11 (FileCreate) for test_shell.aspx in the web root; Sysmon Event ID 1 for cmd.exe with parent w3wp.exe; Windows Security Event ID 4663 for file write to IIS directory.
- Test 3Outbound Beacon Simulation from Apriso Server Context
Expected signal: Network connection event from the Apriso process (java or tomcat) to an external/loopback destination; DNS query or direct IP connection logged by EDR or network monitoring; process execution log showing curl or wget spawned by the web application parent.
- Test 4Reconnaissance Commands Executed Post-Injection via PowerShell
Expected signal: Sysmon Event ID 1 for powershell.exe with parent w3wp.exe; Windows Security Event ID 4688 for PowerShell process; PowerShell Script Block Logging Event ID 4104 capturing the reconnaissance commands.
Unlock Pro Content
Get the full detection package for CVE-2025-6204 including response playbook, investigation guide, and atomic red team tests.