DELMIA Apriso and XWiki exploitation

Attackers are actively exploiting **Dassault Systèmes DELMIA Apriso** and **XWiki**, turning separate product flaws into a live exposure story. **CVE-2025-6204** and **CVE-2025-6205** affect DELMIA Apriso Release 2020 through Release 2025, while **CVE-2025-24893** lets a guest user trigger remote code execution through the XWiki **/bin/get/Main/SolrSearch** endpoint. CISA added the DELMIA Apriso flaws and the XWiki flaw to the **Known Exploited Vulnerabilities** catalog, confirming active abuse. The available evidence also shows a two-stage XWiki attack chain that stages a downloader, executes further payloads, and has delivered a cryptocurrency miner. Dassault Systèmes said it patched the DELMIA Apriso issues in early August 2025, and CISA placed **CVE-2025-5086** on the KEV list after earlier exploitation against the same product. Federal Civilian Executive Branch agencies must meet the **November 18, 2025** deadline for the DELMIA Apriso flaws, and the XWiki entry carries a **November 20, 2025** deadline. Available evidence shows XWiki abuse dating back to March 2025, but it does not quantify reach or confirm how many deployments were compromised. Defenders should hunt for requests to the Apriso and XWiki endpoints, downloader artifacts, and miner activity, while applying vendor mitigations or removing exposure where mitigation is unavailable.