CVE-2025-6205
Published: 04 August 2025
Summary
CVE-2025-6205 is a critical-severity Missing Authorization (CWE-862) vulnerability in 3Ds Delmia Apriso. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-6205 is a missing authorization vulnerability, tracked under CWE-862, that affects Dassault Systèmes DELMIA Apriso releases from 2020 through 2025. The flaw carries a CVSS 3.1 score of 9.1 and permits an unauthenticated network attacker to obtain privileged access to the application.
An attacker can exploit the issue remotely with no credentials or user interaction required, resulting in high impact to confidentiality and integrity while leaving availability unaffected. Successful exploitation grants elevated privileges within the DELMIA Apriso environment.
The vendor has published an advisory at the 3DS trust center, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
The associated EPSS score stands at 0.8280, equal to its recorded peak, reflecting sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23493
Vulnerability details
A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
- CWE(s)
- KEV Date Added
- 28 October 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in a remotely accessible enterprise application directly enables unauthenticated network exploitation to obtain privileged access, matching T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates enforcement of approved authorizations for logical access, directly addressing the missing authorization that permitted unauthenticated attackers to gain privileged access in DELMIA Apriso.
Restricts and documents specific actions allowable without identification or authentication, preventing privileged operations by unauthenticated remote attackers exploiting this vulnerability.
Enforces least privilege to limit access to only necessary permissions, reducing the impact of bypassed or missing authorization checks granting excessive privileges.