CVE-2025-6205 Elastic Security · Elastic

Detect Dassault Systèmes DELMIA Apriso Missing Authorization (CVE-2025-6205) in Elastic Security

Detects exploitation attempts targeting CVE-2025-6205, a missing authorization vulnerability (CWE-862) in Dassault Systèmes DELMIA Apriso. This vulnerability allows unauthenticated or low-privileged attackers to access protected resources or perform actions without proper authorization checks. Listed as a CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [network where process.name : ("apriso*", "delmia*", "GlobalFluency*", "Manufacturing*") and network.direction == "outgoing"]
  [authentication where event.action in ("logged-in", "authentication_success") and user.name : ("*apriso*", "*delmia*", "*mes*", "anonymous")]

OR

any where
  (
    (event.dataset == "iis.access" and
     url.path : ("*Apriso*", "*DELMIA*", "*GlobalFluency*") and
     http.request.method in ("POST", "PUT", "DELETE") and
     (user.name == "-" or user.name == "" or url.query : ("*bypass*", "*noauth*", "*anonymous*")) and
     http.response.status_code in (200, 201, 301, 302))
  )
critical severity medium confidence

EQL sequence and event detection for unauthenticated access or suspicious authorization bypass patterns targeting DELMIA Apriso endpoints, correlated with process and authentication events.

Data Sources

Elastic AgentIIS ModuleWindows Authentication Logs

Required Tables

logs-iis.access-*logs-windows.security-*metrics-*

False Positives & Tuning

  • Legitimate anonymous access allowed for specific public-facing Apriso modules
  • Load balancer health probes that appear as unauthenticated POST requests
  • Integration agents running under generic service identities
  • Bulk data sync jobs using token-based auth not reflected in standard log fields

Other platforms for CVE-2025-6205

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated HTTP POST to Apriso API Endpoint

    Expected signal: IIS access log entry: POST /Apriso/api/v1/WorkOrders with username '-' or empty and HTTP response code 200/201/401/403. Network flow showing outbound connection to Apriso host on port 80 or 443.

  2. Test 2Apriso Endpoint Enumeration via Unauthenticated GET Scan

    Expected signal: Multiple IIS log entries for sequential GET requests to /Apriso*, /DELMIA*, /GlobalFluency* paths from same source IP within a short time window.

  3. Test 3Authorization Bypass via Query Parameter Manipulation

    Expected signal: IIS log entry with URI /Apriso/api/v1/Users?anonymous=true&auth=skip, method POST, and username '-'. Windows Security Event Log may show no corresponding authentication event.

  4. Test 4Repeated Authentication Failure on Apriso Service Account

    Expected signal: Windows Security Event Log Event ID 4625 (failed logon) for TargetUserName=apriso_svc repeated 10 times within a short window. IIS 401 responses for POST to /Apriso/login.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-6205 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1548Abuse Elevation Control Mechanism

Same Tactic: Initial Access

Popular Detections