CVE-2025-10555 identifies a stored Cross-site Scripting (XSS) vulnerability in Dassault Systèmes DELMIA Service Process Engineer, specifically in the Service Items Management component of the 3DEXPERIENCE R2025x Golden release. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing malicious script code to be stored on the server and later executed in the browsers of users who access the affected pages. An attacker with limited privileges (PR:L) can craft input that, when rendered, executes arbitrary JavaScript in the context of other users’ sessions, requiring user interaction (UI:R) to trigger. The vulnerability has a CVSS 3.1 score of 8.7, indicating high severity, with a vector showing network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the exploit can affect resources beyond the vulnerable component. The impact includes high confidentiality and integrity loss, such as session hijacking, credential theft, or unauthorized actions within the application, though availability is not affected. No public exploits are known yet, but the vulnerability’s nature and scoring suggest it could be weaponized in targeted attacks. The flaw is specific to the Service Items Management feature, which is critical for managing industrial service processes, making it a valuable target for attackers aiming to disrupt or spy on industrial workflows. The vulnerability was reserved in September 2025 and published in November 2025, with no current patches publicly linked, indicating organizations must monitor vendor advisories closely.

For European organizations, particularly those in manufacturing, aerospace, automotive, and industrial engineering sectors that rely on Dassault Systèmes DELMIA Service Process Engineer, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to sensitive operational data, manipulation of service process workflows, and compromise of user credentials. This can result in intellectual property theft, disruption of industrial operations, and potential compliance violations under GDPR due to data breaches. Since the vulnerability allows scope change, attackers might leverage it to pivot within the network or escalate privileges. The requirement for user interaction means phishing or social engineering could facilitate exploitation, increasing risk in environments with less stringent user awareness. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score underscores the urgency for mitigation. Industrial organizations in Europe are often targeted by advanced persistent threats (APTs), making this vulnerability a potential vector for sophisticated attacks.

Organizations should immediately inventory their use of DELMIA Service Process Engineer Release 3DEXPERIENCE R2025x Golden and prioritize patching once Dassault Systèmes releases an official fix. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the Service Items Management module to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary, especially for users who can input data into vulnerable components, to reduce attack surface. Conduct user awareness training focused on recognizing phishing attempts that could trigger malicious payloads. Monitor application logs and network traffic for unusual activities indicative of exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this application. Regularly review and update security controls as vendor patches and advisories become available.