Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Improper authentication grants unauthenticated network access to a privileged server session with no user interaction and full C/I/A impact, so AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H.
Primary rating from Vendor (3DS).
CVSS VectorVendor: 3DS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.
AnalysisAI
Authentication bypass in Dassault Systèmes DELMIA Apriso (Release 2020 through Release 2026) lets remote unauthenticated attackers obtain privileged access to the manufacturing operations server, consistent with the CVSS PR:N/UI:N metrics. Rated CVSS 9.8 (C:H/I:H/A:H), it exposes shop-floor and production-control functions to full compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs network reachability to the DELMIA Apriso application/authentication endpoint; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) exploitation is remote, unauthenticated, low-complexity, and requires no user interaction against affected deployments running any Release from 2020 through 2026. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to genuine high priority: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes network-reachable, low-complexity, unauthenticated exploitation yielding full confidentiality, integrity, and availability loss, and 'privileged access to the server' aligns with that impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the DELMIA Apriso server over the network sends crafted requests to the authentication interface that the application incorrectly accepts as valid, obtaining a privileged session without credentials. From there they read and alter manufacturing execution data, production orders, and configuration, or disrupt operations. … |
| Remediation | Apply the fixed release identified in the Dassault Systèmes 3DS security advisory (https://www.3ds.com/trust-center/security/security-advisories/cve-2026-9695); no exact fixed version is stated in the available data, so treat patch status as 'Patch available per vendor advisory' and confirm the precise build with 3DS support before scheduling maintenance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Implement network segmentation restricting Dassault Systèmes DELMIA Apriso administrative access to trusted internal networks only; enable multi-factor authentication for all administrative accounts; activate comprehensive audit logging on all DELMIA Apriso systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Delmia Apriso
View allDELMIA Apriso contains a missing authorization vulnerability allowing attackers to gain privileged access to the manufac
Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025
DELMIA Apriso from Release 2020 through 2025 contains a code injection vulnerability allowing attackers to execute arbit
An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authenticati
Insertion of Sensitive Information into Log File vulnerabilities are affecting DELMIA Apriso Release 2019 through Releas
A Server-Side Request Forgery vulnerability in DELMIA Apriso Release 2017 through Release 2022 could allow an unauthenti
A reflected Cross-site Scripting (XSS) Vulnerability in DELMIA Apriso Release 2017 through Release 2022 allows an attack
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42177
GHSA-hx4w-2f46-xmmc