CVE-2025-0602 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes' Collaborative Industry Innovator product, specifically affecting the Compare feature across multiple releases: 3DEXPERIENCE R2023x Golden, R2024x Golden, and R2025x Golden. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), allowing malicious actors to inject arbitrary script code that is stored and later executed in the context of other users' browsers. This stored XSS flaw enables attackers to execute scripts with the privileges of the victim user, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or delivery of further malicious payloads. The CVSS v3.1 base score is 8.7, reflecting a high impact on confidentiality and integrity, with no impact on availability. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), with scope changed (S:C), and high confidentiality and integrity impact (C:H/I:H/A:N). Although no known exploits are currently reported in the wild, the vulnerability's presence in widely used enterprise collaboration software makes it a significant risk. The lack of available patches at the time of publication necessitates immediate attention from affected organizations to mitigate potential exploitation.

For European organizations utilizing Dassault Systèmes Collaborative Industry Innovator, this vulnerability poses a substantial risk to the confidentiality and integrity of sensitive industrial and collaborative data. Given the product's role in managing complex engineering and manufacturing workflows, exploitation could lead to unauthorized access to proprietary designs, intellectual property theft, and manipulation of collaborative inputs. The stored XSS nature means that once malicious scripts are injected, any user accessing the affected feature may unknowingly execute harmful code, potentially compromising user credentials and enabling lateral movement within corporate networks. This risk is amplified in sectors such as automotive, aerospace, and industrial manufacturing, where Dassault Systèmes products have significant market penetration in Europe. The vulnerability could also undermine trust in collaborative platforms, disrupt business continuity indirectly through data breaches, and expose organizations to regulatory penalties under GDPR if personal data is compromised.

Given the absence of official patches at the time of disclosure, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the Compare feature to only trusted and essential users through role-based access controls to minimize exposure. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payload patterns targeting the Collaborative Industry Innovator interface. 3) Conducting thorough input validation and output encoding on any user-generated content within the application, if customization or extensions are possible. 4) Educating users about the risks of clicking on suspicious links or interacting with untrusted content within the platform. 5) Monitoring application logs and user activity for unusual behavior indicative of exploitation attempts. 6) Planning for rapid deployment of official patches once released by Dassault Systèmes. Additionally, organizations should review their incident response plans to include scenarios involving XSS exploitation in collaboration tools.