CISA adds two Known Exploited Vulnerabilities to catalog

The Cybersecurity and Infrastructure Security Agency has incorporated two newly identified vulnerabilities associated with Dassault Systèmes DELMIA Apriso into its Known Exploited Vulnerabilities (KEV) Catalog, highlighting risks related to code injection and missing authorization. These vulnerabilities have been linked to active exploitation affecting affected systems.

The issues are identified as CVE-2025-6204, concerning code injection in DELMIA Apriso, and CVE-2025-6205, related to a missing authorization flaw within the same software suite. The vulnerabilities specifically pertain to components within the Dassault Systèmes DELMIA Apriso products and have been confirmed through observed exploitation attempts.

The presence of these vulnerabilities in operational environments can allow malicious actors to execute unauthorized code or bypass authorization controls, potentially exposing sensitive systems to compromise. The vulnerabilities represent known attack vectors currently exploited in the field.

Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch agencies address vulnerabilities listed in the KEV Catalog by specified deadlines to safeguard federal networks. While the directive applies to these agencies, organizations beyond this scope are also encouraged to apply prompt remediation to reduce exposure to active threats. The directive maintains the catalog as an evolving record of CVEs presenting significant risk.

The agency continues to update the KEV Catalog with vulnerabilities meeting established criteria and advises organizations to incorporate resolution of these entries into their vulnerability management strategies. Further information about the directive’s requirements is available in the corresponding fact sheet.