Dassault Systèmes DELMIA Apriso Missing Authorization (CVE-2025-6205)

union isfuzzy=true
(
    DeviceNetworkEvents
    | where RemotePort in (80, 443, 8080, 8443)
    | where InitiatingProcessFileName has_any ("apriso", "delmia", "Manufacturing", "GlobalFluency")
    | extend Hint = "DELMIA Apriso process network activity"
),
(
    W3CIISLog
    | where csUriStem has_any ("/Apriso", "/DELMIA", "/GlobalFluency", "/MES", "/Manufacturing")
    | where scStatus in (200, 201, 204, 301, 302)
    | where csMethod in ("POST", "PUT", "DELETE", "PATCH")
    | where csUriQuery has_any ("bypass", "auth=", "token=skip", "noauth", "anonymous")
        or isempty(csUsername) or csUsername == "-"
    | extend Hint = "Unauthenticated or suspicious request to Apriso web endpoint"
),
(
    SecurityEvent
    | where EventID in (4624, 4625, 4648, 4672)
    | where TargetUserName has_any ("apriso", "delmia", "mes", "mfg")
    | extend Hint = "Authentication event involving Apriso service account"
)
| extend CVE = "CVE-2025-6205"
| project TimeGenerated, CVE, Hint, Computer, Account, RemoteIP, csUriStem, csStatus, csMethod

index=web OR index=iis OR index=windows
(
    (sourcetype=iis OR sourcetype=ms:iis:auto)
    (uri_path="*Apriso*" OR uri_path="*DELMIA*" OR uri_path="*GlobalFluency*" OR uri_path="*Manufacturing*")
    (method=POST OR method=PUT OR method=DELETE OR method=PATCH)
    (
        (username="-" OR username="" OR isnull(username))
        OR (query="*bypass*" OR query="*noauth*" OR query="*auth=skip*" OR query="*anonymous*")
    )
    (status=200 OR status=201 OR status=301 OR status=302)
)
OR
(
    sourcetype=WinEventLog:Security
    EventCode IN (4624, 4625, 4648, 4672)
    (TargetUserName="*apriso*" OR TargetUserName="*delmia*" OR TargetUserName="*mes*")
)
| eval CVE="CVE-2025-6205"
| eval risk_score=case(
    (username="-" AND (method="POST" OR method="DELETE")), 90,
    (query="*bypass*" OR query="*noauth*"), 85,
    EventCode=4625, 60,
    true(), 40
  )
| table _time, host, src_ip, uri_path, method, status, username, query, EventCode, TargetUserName, CVE, risk_score
| sort -risk_score

sequence by host.name with maxspan=5m
  [network where process.name : ("apriso*", "delmia*", "GlobalFluency*", "Manufacturing*") and network.direction == "outgoing"]
  [authentication where event.action in ("logged-in", "authentication_success") and user.name : ("*apriso*", "*delmia*", "*mes*", "anonymous")]

OR

any where
  (
    (event.dataset == "iis.access" and
     url.path : ("*Apriso*", "*DELMIA*", "*GlobalFluency*") and
     http.request.method in ("POST", "PUT", "DELETE") and
     (user.name == "-" or user.name == "" or url.query : ("*bypass*", "*noauth*", "*anonymous*")) and
     http.response.status_code in (200, 201, 301, 302))
  )

SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    sourceip AS SourceIP,
    destinationip AS DestinationIP,
    destinationport AS DestPort,
    URL AS RequestURL,
    username AS Username,
    HTTP_METHOD AS Method,
    HTTP_RESPONSE_CODE AS StatusCode,
    LOGSOURCENAME(logsourceid) AS LogSource,
    'CVE-2025-6205' AS CVE
FROM events
WHERE
    (
        (
            URL ILIKE '%Apriso%' OR URL ILIKE '%DELMIA%' OR URL ILIKE '%GlobalFluency%' OR URL ILIKE '%Manufacturing%'
        )
        AND HTTP_METHOD IN ('POST', 'PUT', 'DELETE', 'PATCH')
        AND (
            username IS NULL OR username = '' OR username = '-' OR username = 'anonymous'
            OR URL ILIKE '%bypass%' OR URL ILIKE '%noauth%' OR URL ILIKE '%auth=skip%'
        )
        AND HTTP_RESPONSE_CODE IN (200, 201, 204, 301, 302)
    )
    OR
    (
        QIDNAME(qid) ILIKE '%authentication failure%'
        AND (username ILIKE '%apriso%' OR username ILIKE '%delmia%' OR username ILIKE '%mes%')
    )
LAST 24 HOURS
ORDER BY starttime DESC

_sourceCategory=iis OR _sourceCategory=windows/security
| parse regex "(?<uri_path>/[^\s?]*)" nodrop
| parse regex "\s(?<method>GET|POST|PUT|DELETE|PATCH|HEAD)\s" nodrop
| parse regex "\s(?<status>\d{3})\s" nodrop
| parse regex "\s(?<username>[^\s]+)\s" nodrop
| where (uri_path matches "*Apriso*" or uri_path matches "*DELMIA*" or uri_path matches "*GlobalFluency*")
| where method in ("POST", "PUT", "DELETE", "PATCH")
| where (username = "-" or isBlank(username) or _raw matches "*bypass*" or _raw matches "*noauth*")
| where status in ("200", "201", "204", "301", "302")
| withtime _messagetime
| count by _sourceHost, uri_path, method, status, username
| sort by _count desc
| fields _sourceHost, uri_path, method, status, username, _count

rule CVE_2025_6205_DELMIA_Apriso_Missing_Authorization {
  meta:
    author = "df00tech Detection Platform"
    description = "Detects potential exploitation of CVE-2025-6205 - Missing Authorization in Dassault DELMIA Apriso"
    severity = "CRITICAL"
    reference = "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205"
    cve = "CVE-2025-6205"

  events:
    (
      $e.metadata.event_type = "NETWORK_HTTP"
      and (
        $e.target.url =~ ".*[Aa]priso.*"
        or $e.target.url =~ ".*[Dd][Ee][Ll][Mm][Ii][Aa].*"
        or $e.target.url =~ ".*GlobalFluency.*"
        or $e.target.url =~ ".*Manufacturing.*"
      )
      and $e.network.http.method in ("POST", "PUT", "DELETE", "PATCH")
      and (
        not $e.principal.user.userid != ""
        or $e.target.url =~ ".*bypass.*"
        or $e.target.url =~ ".*noauth.*"
        or $e.target.url =~ ".*anonymous.*"
      )
      and $e.network.http.response_code in (200, 201, 204, 301, 302)
    )
    or
    (
      $e.metadata.event_type = "USER_LOGIN"
      and $e.metadata.event_status = "FAILED"
      and (
        $e.principal.user.userid =~ ".*apriso.*"
        or $e.principal.user.userid =~ ".*delmia.*"
        or $e.principal.user.userid =~ ".*mes.*"
      )
    )

  condition:
    $e
}

#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "HttpRequest", "UserLogon", "UserLogonFailed")
| $falcon.event_type != ""
// Apriso process network activity
| case {
    ImageFileName =~ "(?i)(apriso|delmia|globalfluency|manufacturing)" :
        assign(detection_hint="Apriso process network activity", risk=70);
    // Apriso web endpoint access
    TargetURL =~ "(?i)(/apriso|/delmia|/globalfluency|/manufacturing)" AND HttpMethod IN ("POST", "PUT", "DELETE", "PATCH") AND (UserName == "-" OR UserName == "" OR TargetURL =~ "(?i)(bypass|noauth|anonymous)"):
        assign(detection_hint="Unauthenticated or bypass request to Apriso endpoint", risk=90);
    // Apriso service account auth failures
    UserName =~ "(?i)(apriso|delmia|mes)" AND #event_simpleName == "UserLogonFailed":
        assign(detection_hint="Apriso service account auth failure", risk=65);
    *: assign(detection_hint="Unclassified Apriso event", risk=10)
  }
| risk > 40
| groupBy([ComputerName, UserName, TargetURL, HttpMethod, HttpResponseCode, detection_hint], function=count(1, as=event_count))
| sort(risk, order=desc)
| CVE := "CVE-2025-6205"