A critical vulnerability has been identified in Dassault Systèmes' DELMIA Apriso software, which could allow an unauthorized attacker to gain high-level administrative access. This flaw stems from the application's failure to properly verify user permissions for sensitive functions. Successful exploitation could lead to complete system compromise, data theft, and significant operational disruption.

The vulnerability is classified as a "Missing Authorization" flaw. This means the application does not correctly check if a user has the required permissions before allowing them to perform a privileged action. An unauthenticated or low-privileged attacker could exploit this by crafting a direct request to a sensitive administrative endpoint or API, bypassing standard security checks and gaining elevated privileges within the application.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe impact on business operations, as DELMIA Apriso is a Manufacturing Operations Management system. An attacker with privileged access could steal sensitive intellectual property, manipulate production data, disrupt or halt manufacturing processes, and potentially cause financial loss and reputational damage. The complete control gained by an attacker introduces significant risks to data integrity, confidentiality, and availability.

Immediate Action: Immediately apply the security patches provided by Dassault Systèmes to update all affected DELMIA Apriso instances to the latest version. Prioritize patching for internet-facing or business-critical systems. After patching, verify that the update was successful and the vulnerability is resolved.

Proactive Monitoring: Enhance monitoring of the DELMIA Apriso application and its underlying servers. Specifically, review application access logs for any direct access attempts to administrative URLs or functions, especially from unexpected IP addresses or user accounts. Monitor for the creation of new, unauthorized administrative accounts or unusual changes in system configurations.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict network access to the application, ensuring it is only accessible from trusted internal networks.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to block unauthorized access to known administrative paths and functions.
• Implement heightened alerting for any administrative actions performed on the system to ensure rapid detection of suspicious activity.

Public Exploit Available: false

Due to the critical severity (CVSS 9.1) of this vulnerability and the potential for complete system compromise, immediate remediation is strongly recommended. Organizations must prioritize the deployment of the vendor-supplied patches across all affected systems. Although this vulnerability is not yet listed in the CISA KEV catalog, its severity makes it a prime target for future exploitation. If patching is delayed, the compensating controls listed above should be implemented without delay to reduce the attack surface.