CVE-2023-6078 is a high-severity OS Command Injection vulnerability (CWE-78) affecting Dassault Systèmes BIOVIA Materials Studio products from the 2021 Golden release through the 2023 Golden release. The vulnerability arises due to improper neutralization of special elements in user-supplied input, specifically via the upload of a specially crafted Perl script. This flaw allows an attacker with at least limited privileges (PR:L) to execute arbitrary operating system commands on the affected system without requiring user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its critical impact on confidentiality, integrity, and availability. Exploitation can lead to full system compromise, including unauthorized data access, modification, or destruction, and potential lateral movement within the network. The attack vector is network-based (AV:N), meaning the attacker can exploit this remotely, provided they have the necessary privileges. The scope remains unchanged (S:U), indicating the impact is confined to the vulnerable component. No known exploits are currently reported in the wild, but the presence of this vulnerability in widely used scientific and materials modeling software presents a significant risk, especially in research and industrial environments where BIOVIA Materials Studio is deployed. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

For European organizations, particularly those involved in materials science, chemical research, pharmaceuticals, and advanced manufacturing sectors, this vulnerability poses a substantial risk. BIOVIA Materials Studio is a specialized software suite used extensively in R&D environments to simulate and analyze material properties. Successful exploitation could lead to unauthorized access to sensitive intellectual property, research data, and proprietary formulas, potentially resulting in significant financial losses and reputational damage. Moreover, attackers could leverage this vulnerability to establish persistent footholds within corporate networks, facilitating espionage or sabotage. Given the high confidentiality and integrity requirements of research data in Europe, exploitation could also lead to regulatory compliance issues under frameworks such as GDPR if personal or sensitive data is involved. The availability impact could disrupt critical research workflows, delaying projects and innovation. The remote exploitability combined with the requirement for limited privileges means insider threats or compromised user accounts could be leveraged to launch attacks, increasing the threat surface.

1. Immediate Restriction of Access: Limit access to BIOVIA Materials Studio installations to trusted users only, enforcing strict role-based access controls to minimize the number of users with privileges capable of uploading scripts. 2. Network Segmentation: Isolate systems running BIOVIA Materials Studio from broader enterprise networks to contain potential compromises and prevent lateral movement. 3. Input Validation and Monitoring: Implement application-layer controls to detect and block uploads of suspicious or unauthorized script files, especially Perl scripts. 4. Privilege Management: Review and minimize user privileges on affected systems to the least necessary, reducing the risk of exploitation. 5. Incident Detection: Deploy host-based and network-based intrusion detection systems tuned to identify unusual command execution patterns or script uploads related to BIOVIA. 6. Vendor Coordination: Engage with Dassault Systèmes for timely updates and patches; monitor official channels for patch releases and apply them promptly once available. 7. Temporary Workarounds: If feasible, disable or restrict the script upload functionality until a patch is applied. 8. Security Awareness: Train users on the risks of uploading untrusted scripts and the importance of following security policies. These measures, combined, will reduce the attack surface and mitigate the risk until a vendor patch is released.