Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack

The U. S. Cybersecurity and Infrastructure Security Agency (CISA), along with VulnCheck, has confirmed active exploitation of critical security flaws affecting Dassault Systèmes DELMIA Apriso and XWiki platforms. These vulnerabilities pose serious risks, allowing attackers to execute arbitrary code or gain unauthorized privileged access. Specifically, CVE-2025-6204 is a code injection flaw in DELMIA Apriso, rated with a CVSS score of 8.0, which enables arbitrary code execution. Alongside this, CVE-2025-6205, scoring 9.1, involves missing authorization checks that could let an attacker access privileged application functions without proper permission. Both of these issues affect DELMIA Apriso versions from Release 2020 through Release 2025 and were patched by Dassault Systèmes in early August 2025. Notably, these vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) catalog shortly after CISA had already flagged another critical flaw (CVE-2025-5086) in the same product, which also saw exploitation attempts detected by the SANS Internet Storm Center. Whether these attacks are linked remains unclear at this stage. In parallel, the XWiki vulnerability CVE-2025-24893, with a CVSS score of 9.8, involves improper neutralization of input in dynamic evaluation calls, commonly referred to as an eval injection. This flaw allows any guest user to remotely execute code via requests to the "/bin/get/Main/SolrSearch" endpoint. VulnCheck reports that this particular vulnerability has been weaponized since as early as March 2025. The exploitation follows a two-stage attack chain designed to install a cryptocurrency miner on the victim’s system. Details from VulnCheck reveal that attackers, traced back to an IP geolocated in Vietnam, carry out a two-pass process separated by around 20 minutes. The first pass stages a downloader file on disk, while the second pass executes it. The downloader uses wget to fetch another downloader named "x640" from a suspicious server, which then pulls in two additional payloads: x521, which retrieves the actual cryptocurrency miner, and x522, which terminates competing miners like XMRig and Kinsing before launching the miner configured for the c3pool.org mining pool. The malicious IP address has a history of brute-force attack attempts, flagged recently as late as October 26, 2025. Given the active exploitation, agencies and users running affected versions are strongly urged to apply the provided patches immediately. For instance, several Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate the DELMIA Apriso vulnerabilities by November 18, 2025, underscoring the severity and urgency of this threat. The ongoing exploitation of these critical flaws highlights the persistent risk faced by organizations relying on DELMIA Apriso and XWiki products. Users should remain vigilant and prioritize patching to curtail further compromise, especially considering the evolving nature of ransomware and cryptomining threats tied to these vulnerabilities.