CVE-2025-6204 (GCVE-0-2025-6204)

Vulnerability from cvelistv5 – Published: 2025-08-04 09:14 – Updated: 2025-10-28 22:20
VLAI? CISA
Title
Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025
Summary
An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.
Severity ?
8 (High)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
3DS
References
Impacted products
Vendor Product Version
Dassault Systèmes DELMIA Apriso Affected: Release 2020 Golden , ≤ Release 2020 SP4 (custom)
Affected: Release 2021 Golden , ≤ Release 2021 SP3 (custom)
Affected: Release 2022 Golden , ≤ Release 2022 SP3 (custom)
Affected: Release 2023 Golden , ≤ Release 2023 SP3 (custom)
Affected: Release 2024 Golden , ≤ Release 2024 SP1 (custom)
Affected: Release 2025 Golden , ≤ Release 2025 SP1 (custom)
Create a notification for this product.
CISA Known Exploited Vulnerability
Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2025-10-28

Due date: 2025-11-18

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Used in ransomware: Unknown

Notes: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6204

Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6204",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-10-28",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6204"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-28T22:20:24.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "name": "CISA KEV",
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6204"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-10-28T00:00:00+00:00",
            "value": "CVE-2025-6204 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DELMIA Apriso",
          "vendor": "Dassault Syst\u00e8mes",
          "versions": [
            {
              "lessThanOrEqual": "Release 2020 SP4",
              "status": "affected",
              "version": "Release 2020 Golden",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "Release 2021 SP3",
              "status": "affected",
              "version": "Release 2021 Golden",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "Release 2022 SP3",
              "status": "affected",
              "version": "Release 2022 Golden",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "Release 2023 SP3",
              "status": "affected",
              "version": "Release 2023 Golden",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "Release 2024 SP1",
              "status": "affected",
              "version": "Release 2024 Golden",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "Release 2025 SP1",
              "status": "affected",
              "version": "Release 2025 Golden",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code."
            }
          ],
          "value": "An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-04T09:14:08.343Z",
        "orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
        "shortName": "3DS"
      },
      "references": [
        {
          "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
    "assignerShortName": "3DS",
    "cveId": "CVE-2025-6204",
    "datePublished": "2025-08-04T09:14:08.343Z",
    "dateReserved": "2025-06-17T14:03:08.909Z",
    "dateUpdated": "2025-10-28T22:20:24.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-6204",
      "cwes": "[\"CWE-94\"]",
      "dateAdded": "2025-10-28",
      "dueDate": "2025-11-18",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6204",
      "product": "DELMIA Apriso",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Dassault Syst\u00e8mes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.",
      "vendorProject": "Dassault Syst\u00e8mes",
      "vulnerabilityName": "Dassault Syst\u00e8mes DELMIA Apriso Code Injection Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-6204\",\"sourceIdentifier\":\"3DS.Information-Security@3ds.com\",\"published\":\"2025-08-04T10:15:27.800\",\"lastModified\":\"2025-10-29T12:49:33.617\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de control inadecuado de generaci\u00f3n de c\u00f3digo (inyecci\u00f3n de c\u00f3digo) que afecta a DELMIA Apriso desde la versi\u00f3n 2020 hasta la versi\u00f3n 2025 podr\u00eda permitir que un atacante ejecute c\u00f3digo arbitrario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2025-10-28\",\"cisaActionDue\":\"2025-11-18\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Dassault Syst\u00e8mes DELMIA Apriso Code Injection Vulnerability\",\"weaknesses\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:3ds:delmia_apriso:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2020\",\"versionEndIncluding\":\"2025\",\"matchCriteriaId\":\"809F8ACE-5686-4178-ACF7-D6968035FCF5\"}]}]}],\"references\":[{\"url\":\"https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204\",\"source\":\"3DS.Information-Security@3ds.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6204\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6204\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-04T15:49:53.504308Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-04T15:50:45.253Z\"}}], \"cna\": {\"title\": \"Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Dassault Syst\\u00e8mes\", \"product\": \"DELMIA Apriso\", \"versions\": [{\"status\": \"affected\", \"version\": \"Release 2020 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2020 SP4\"}, {\"status\": \"affected\", \"version\": \"Release 2021 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2021 SP3\"}, {\"status\": \"affected\", \"version\": \"Release 2022 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2022 SP3\"}, {\"status\": \"affected\", \"version\": \"Release 2023 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2023 SP3\"}, {\"status\": \"affected\", \"version\": \"Release 2024 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2024 SP1\"}, {\"status\": \"affected\", \"version\": \"Release 2025 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2025 SP1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"shortName\": \"3DS\", \"dateUpdated\": \"2025-08-04T09:14:08.343Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-6204\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-28T03:56:03.666Z\", \"dateReserved\": \"2025-06-17T14:03:08.909Z\", \"assignerOrgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"datePublished\": \"2025-08-04T09:14:08.343Z\", \"assignerShortName\": \"3DS\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.