CVE-2025-10552 identifies a stored Cross-site Scripting (XSS) vulnerability in the 3DSwymer component of Dassault Systèmes' 3DEXPERIENCE platform, specifically in Release 3DEXPERIENCE R2025x Golden. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious JavaScript code that is persistently stored and executed in the context of other users' browsers. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). An attacker with limited privileges can craft input that, when rendered by the application, executes arbitrary scripts, potentially stealing session tokens, performing actions on behalf of users, or delivering further malware. Although no public exploits are known yet, the vulnerability's characteristics and high CVSS score (8.7) indicate it is a critical risk. The vulnerability affects a widely used platform in industries relying on collaborative engineering and product lifecycle management, making it a valuable target for attackers aiming to compromise sensitive intellectual property or disrupt operations.

For European organizations, this vulnerability poses significant risks, particularly in sectors such as aerospace, automotive, manufacturing, and industrial design where Dassault Systèmes' 3DEXPERIENCE platform is extensively used. Exploitation could lead to unauthorized access to confidential project data, intellectual property theft, and manipulation of collaborative workflows. The stored XSS nature allows persistent compromise of user sessions, enabling attackers to impersonate users, escalate privileges, or pivot within the network. This could disrupt business continuity and damage reputations. Given the collaborative nature of 3DSwymer, attackers might also leverage this vulnerability to spread malware or conduct phishing campaigns internally. The requirement for user interaction and limited privileges reduces the ease of exploitation but does not eliminate the threat, especially in environments with many users and frequent content sharing. The lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

1. Apply official patches from Dassault Systèmes immediately once they become available for Release 3DEXPERIENCE R2025x Golden. 2. Until patches are released, implement strict input validation and output encoding on all user-generated content within 3DSwymer to prevent script injection. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities, especially XSS. 5. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the platform. 6. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7. Limit user privileges to the minimum necessary to reduce the attack surface. 8. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting 3DSwymer. 9. Coordinate with Dassault Systèmes support for guidance and updates on vulnerability remediation.