CVE-2025-10554 is a stored Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes ENOVIA Product Manager, specifically impacting the Requirements feature across releases 3DEXPERIENCE R2023x, R2024x, and R2025x. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing malicious script code to be stored and later executed in the browsers of users who access the compromised content. The attack vector is network-based with low attack complexity, requiring the attacker to have some privileges (PR:L) and user interaction (UI:R) to succeed. The vulnerability affects confidentiality and integrity severely (C:H/I:H) but does not affect availability (A:N). The scope is changed (S:C), meaning the vulnerability can impact resources beyond the attacker’s privileges. An attacker can inject malicious JavaScript into the Requirements module, which when viewed by other users, executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions, or data exfiltration. Although no public exploits are reported yet, the high CVSS score (8.7) reflects the significant risk posed by this vulnerability. The vulnerability is particularly critical in environments where ENOVIA Product Manager is used for sensitive product lifecycle management and collaboration, as it could compromise intellectual property and sensitive project data. The vulnerability was reserved on 2025-09-16 and published on 2025-11-24, with no patch links currently available, indicating that organizations should monitor for vendor updates and apply them promptly once released.

For European organizations, especially those in manufacturing, aerospace, automotive, and engineering sectors that rely on Dassault Systèmes ENOVIA Product Manager for product lifecycle management, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive design and requirements data, manipulation of product specifications, and compromise of user sessions. This could result in intellectual property theft, disruption of collaborative workflows, and potential regulatory compliance issues under GDPR due to data breaches. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, as insider threats or social engineering could facilitate exploitation. The impact on confidentiality and integrity is high, potentially undermining trust in critical engineering processes and causing financial and reputational damage. Additionally, the cross-site scripting nature of the vulnerability could be leveraged as a foothold for further attacks within the corporate network.

Organizations should prioritize the following mitigations: 1) Monitor Dassault Systèmes communications and apply security patches immediately upon release to address CVE-2025-10554. 2) Implement strict input validation and output encoding on all user-supplied data within ENOVIA, particularly in the Requirements module, to prevent script injection. 3) Enforce the principle of least privilege by restricting user permissions to only those necessary for their role, minimizing the potential for malicious input. 4) Deploy Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Educate users on the risks of interacting with untrusted content and implement multi-factor authentication to reduce the risk of compromised credentials. 6) Enhance monitoring and logging of user activities within ENOVIA to detect anomalous behavior indicative of exploitation attempts. 7) Consider network segmentation and web application firewalls (WAF) with rules tailored to detect and block XSS payloads targeting ENOVIA. These steps collectively reduce the likelihood and impact of exploitation beyond generic patching advice.