The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog with significant new entries affecting enterprise and open-source software widely used across industries: Dassault Systèmes DELMIA Apriso, XWiki, and VMware Aria. These vulnerabilities present critical security risks, actively exploited by cyber attackers, and demand immediate attention from organizations using these platforms.
Dassault DELMIA Apriso Vulnerabilities: Code Injection and Privilege Escalation
Dassault DELMIA Apriso, a leading manufacturing software product, has been found vulnerable to two severe security flaws that can allow attackers to remotely execute malicious code and gain elevated privileges:
- CVE-2025-6204: This vulnerability is a code injection flaw that permits attackers to insert and execute arbitrary commands on affected systems. With a CVSS score of 8.0, the flaw affects DELMIA Apriso versions ranging from Release 2020 to Release 2025. Exploitation could lead to full system compromise, enabling attackers to control or disrupt manufacturing operations.
- CVE-2025-6205: This missing authorization vulnerability allows attackers to bypass security measures and escalate privileges unauthorizedly. Its high CVSS score of 9.1 indicates a critical risk that could affect the system’s integrity and confidentiality. This vulnerability was patched in August 2025, but unpatched systems remain at serious risk.
Both vulnerabilities have been observed in active exploit campaigns targeting manufacturing environments, emphasizing the need for rapid patch deployment and network access restrictions.
XWiki Remote Code Execution: A Vulnerability Under Active Exploitation
XWiki, an open-source collaboration software, faces a major security challenge with the addition of CVE-2025-24893 to the KEV catalog:
- This flaw involves an evaluation injection in the
/bin/get/Main/SolrSearchendpoint, allowing unauthenticated attackers to achieve remote code execution with a critical CVSS score of 9.8. - Since March 2025, this vulnerability has been actively exploited in the wild. Attackers commonly use it to deploy cryptocurrency miners, impacting system performance and leading to possible data breaches.
The active exploitation observed highlights the urgency for XWiki users to patch affected versions immediately and monitor their environments for signs of compromise.
VMware Aria Vulnerabilities: Emerging Threats Require Attention
CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. The vulnerability arises when VMware Aria Operations manages a virtual machine (VM) with VMware Tools installed and the Service Discovery Management Pack (SDMP) enabled. A local attacker with non-administrative privileges on such a VM can exploit this flaw to escalate privileges to root on the same machine.
The root cause is an untrusted search path weakness (CWE-426) in a shell script used by VMware Tools for service discovery. The get-versions.sh script uses overly broad regex patterns to locate service binaries, allowing an attacker to place a malicious binary in writable directories (e.g., /tmp/httpd). The script may execute this malicious binary with elevated privileges, granting the attacker full root access.
This vulnerability has a CVSS v3.1 base score of 7.8, categorized as high severity. It has been actively exploited in the wild since at least mid-October 2024 by the China-linked threat actor UNC5174. The vulnerability impacts VMware Cloud Foundation Operations versions prior to 9.0.1.0, VMware Tools versions prior to 13.0.5.0 and 12.5.4, and VMware Aria Operations versions prior to 8.18.5.
Successful exploitation could allow an attacker to install programs, view, change or delete data, or create new accounts with full user rights on the affected system, posing a serious security risk for managed VM environments.
Broadcom, the vendor, has acknowledged this vulnerability and issued patches in VMSA-2025-0015 advisory. Monitoring for unusual child processes spawned by VMware service discovery scripts and applying patches immediately is crucial for mitigating this threat.
What Organizations Should Do Now
Given the severity and active exploitation of these vulnerabilities:
- Patch immediately: Apply security updates provided by Dassault, XWiki, and VMware without delay.
- Monitor actively: Watch for suspicious activity, especially signs of remote code execution or unauthorized privilege escalations.
- Restrict access: Limit network exposure of vulnerable services to trusted environments only.
- Leverage CISA guidance: Follow KEV catalog timelines and best practices to mitigate risks efficiently.
Conclusion
CISA’s addition of Dassault DELMIA Apriso, XWiki, and VMware Aria to the KEV catalog underscores the persistent and evolving threat landscape organizations face. Addressing these critical vulnerabilities through prompt patching and proactive security measures is essential to protect operational continuity and sensitive data from cyber attackers.
Staying informed and responsive to such security updates remains a cornerstone of effective cybersecurity risk management.
