Detect Dassault Systèmes DELMIA Apriso Missing Authorization (CVE-2025-6205) in Google Chronicle
Detects exploitation attempts targeting CVE-2025-6205, a missing authorization vulnerability (CWE-862) in Dassault Systèmes DELMIA Apriso. This vulnerability allows unauthenticated or low-privileged attackers to access protected resources or perform actions without proper authorization checks. Listed as a CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
YARA-L Detection Query
rule CVE_2025_6205_DELMIA_Apriso_Missing_Authorization {
meta:
author = "df00tech Detection Platform"
description = "Detects potential exploitation of CVE-2025-6205 - Missing Authorization in Dassault DELMIA Apriso"
severity = "CRITICAL"
reference = "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205"
cve = "CVE-2025-6205"
events:
(
$e.metadata.event_type = "NETWORK_HTTP"
and (
$e.target.url =~ ".*[Aa]priso.*"
or $e.target.url =~ ".*[Dd][Ee][Ll][Mm][Ii][Aa].*"
or $e.target.url =~ ".*GlobalFluency.*"
or $e.target.url =~ ".*Manufacturing.*"
)
and $e.network.http.method in ("POST", "PUT", "DELETE", "PATCH")
and (
not $e.principal.user.userid != ""
or $e.target.url =~ ".*bypass.*"
or $e.target.url =~ ".*noauth.*"
or $e.target.url =~ ".*anonymous.*"
)
and $e.network.http.response_code in (200, 201, 204, 301, 302)
)
or
(
$e.metadata.event_type = "USER_LOGIN"
and $e.metadata.event_status = "FAILED"
and (
$e.principal.user.userid =~ ".*apriso.*"
or $e.principal.user.userid =~ ".*delmia.*"
or $e.principal.user.userid =~ ".*mes.*"
)
)
condition:
$e
}Chronicle YARA-L rule to detect unauthenticated or authorization-bypassing HTTP requests to DELMIA Apriso endpoints and failed logins for Apriso service accounts.
Data Sources
Required Tables
False Positives & Tuning
- Anonymous browsing of public Apriso documentation portals
- Internal monitoring bots without user context in Chronicle UDM
- Legacy integration connectors using deprecated auth methods
- Penetration testing engagements with authorized scope
Other platforms for CVE-2025-6205
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated HTTP POST to Apriso API Endpoint
Expected signal: IIS access log entry: POST /Apriso/api/v1/WorkOrders with username '-' or empty and HTTP response code 200/201/401/403. Network flow showing outbound connection to Apriso host on port 80 or 443.
- Test 2Apriso Endpoint Enumeration via Unauthenticated GET Scan
Expected signal: Multiple IIS log entries for sequential GET requests to /Apriso*, /DELMIA*, /GlobalFluency* paths from same source IP within a short time window.
- Test 3Authorization Bypass via Query Parameter Manipulation
Expected signal: IIS log entry with URI /Apriso/api/v1/Users?anonymous=true&auth=skip, method POST, and username '-'. Windows Security Event Log may show no corresponding authentication event.
- Test 4Repeated Authentication Failure on Apriso Service Account
Expected signal: Windows Security Event Log Event ID 4625 (failed logon) for TargetUserName=apriso_svc repeated 10 times within a short window. IIS 401 responses for POST to /Apriso/login.
Unlock Pro Content
Get the full detection package for CVE-2025-6205 including response playbook, investigation guide, and atomic red team tests.