(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – October 30, 2025

Author: Chase Snow

Created: Thursday, October 30, 2025 - 13:33

Categories: Cybersecurity, Security Preparedness

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
CVSS v3.1: 9.8
CVE: CVE-2025-59287
Description: Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. WaterISAC released a vulnerability notification regarding this vulnerability, and CISA has added this vulnerability to its KEV catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Dassault Systèmes DELMIA Apriso – Code Injection Vulnerability
CVSS 3.1: 8.0
CVEs: CVE-2025-6204
Description: An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code. CISA has added this vulnerability to its KEV catalog.
Source: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
CVSS v3.1: 9.1
CVE: CVE-2025-6205
Description: Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application. CISA has added this vulnerability to its KEV catalog.
Source: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205