CVE-2025-10554 is a stored Cross-site Scripting (XSS) vulnerability categorized under CWE-79, affecting Dassault Systèmes ENOVIA Product Manager in the 3DEXPERIENCE platform releases R2023x through R2025x. The vulnerability arises from improper neutralization of input during web page generation within the Requirements module, allowing an attacker to inject malicious JavaScript code that is stored persistently and executed in the browsers of other users who view the affected content. Exploitation requires the attacker to have at least limited privileges (PR:L) and user interaction (UI:R), such as convincing a user to open a crafted Requirements page. The vulnerability impacts confidentiality and integrity severely by enabling session hijacking, credential theft, and unauthorized actions performed under the victim's session. The CVSS v3.1 base score is 8.7 (high), reflecting network attack vector, low attack complexity, required privileges, user interaction, and scope change. No public exploits are known yet, but the vulnerability's presence in widely used ENOVIA Product Manager versions makes it a significant risk. The lack of available patches at the time of publication necessitates immediate defensive measures. ENOVIA is widely used in industries requiring collaborative product lifecycle management (PLM), making this vulnerability particularly critical for organizations relying on secure engineering workflows.

For European organizations, the impact of CVE-2025-10554 is substantial. ENOVIA Product Manager is commonly deployed in aerospace, automotive, industrial manufacturing, and engineering sectors prevalent in Europe. Successful exploitation can lead to unauthorized disclosure of sensitive design and product data, manipulation of requirements documents, and potential disruption of product development processes. This can cause intellectual property theft, regulatory compliance violations (e.g., GDPR due to data leakage), and reputational damage. The vulnerability's ability to compromise user sessions can facilitate lateral movement within corporate networks, increasing the risk of broader intrusions. Given the collaborative nature of ENOVIA, multiple users and departments may be affected simultaneously, amplifying operational impact. European companies engaged in critical infrastructure or defense-related manufacturing are particularly at risk due to the strategic importance of their data and the high value of their intellectual property.

To mitigate CVE-2025-10554 effectively, European organizations should: 1) Immediately apply any official patches or updates released by Dassault Systèmes once available. 2) Implement strict input validation and output encoding on all user-supplied data within ENOVIA, especially in the Requirements module, to prevent script injection. 3) Enforce Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4) Limit user privileges to the minimum necessary, reducing the risk posed by compromised accounts. 5) Educate users about the risks of interacting with untrusted content and encourage cautious behavior regarding links and attachments. 6) Monitor application logs and network traffic for unusual activity indicative of exploitation attempts. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting ENOVIA. 8) Conduct regular security assessments and penetration testing focused on web application vulnerabilities within PLM systems. 9) Isolate ENOVIA environments where possible to limit exposure and lateral movement. 10) Maintain incident response readiness to quickly contain and remediate any detected exploitation.