Cyber Resilience

CVE-2025-6205

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 04 August 2025

Published
04 August 2025
Modified
29 October 2025
KEV Added
28 October 2025
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8280 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6205 is a critical-severity Missing Authorization (CWE-862) vulnerability in 3Ds Delmia Apriso. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-6205 is a missing authorization vulnerability, tracked under CWE-862, that affects Dassault Systèmes DELMIA Apriso releases from 2020 through 2025. The flaw carries a CVSS 3.1 score of 9.1 and permits an unauthenticated network attacker to obtain privileged access to the application.

An attacker can exploit the issue remotely with no credentials or user interaction required, resulting in high impact to confidentiality and integrity while leaving availability unaffected. Successful exploitation grants elevated privileges within the DELMIA Apriso environment.

The vendor has published an advisory at the 3DS trust center, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.

The associated EPSS score stands at 0.8280, equal to its recorded peak, reflecting sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.

CWE(s)
KEV Date Added
28 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in a remotely accessible enterprise application directly enables unauthenticated network exploitation to obtain privileged access, matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-6204Same product: 3Ds Delmia Aprisoboth on KEV
CVE-2025-20362Shared CWE-862both on KEV
CVE-2023-52163Shared CWE-862both on KEV
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862

Affected Assets

3ds
delmia apriso
2020 — 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations for logical access, directly addressing the missing authorization that permitted unauthenticated attackers to gain privileged access in DELMIA Apriso.

prevent

Restricts and documents specific actions allowable without identification or authentication, preventing privileged operations by unauthenticated remote attackers exploiting this vulnerability.

prevent

Enforces least privilege to limit access to only necessary permissions, reducing the impact of bypassed or missing authorization checks granting excessive privileges.

References