CVE-2025-10555 identifies a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 in the DELMIA Service Process Engineer product by Dassault Systèmes, specifically affecting the Service Items Management module in the 3DEXPERIENCE R2025x Golden release. Stored XSS vulnerabilities occur when malicious input is persistently stored by the application and later rendered in web pages without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the context of other users' browsers. This vulnerability requires an attacker to have limited privileges (PR:L) and user interaction (UI:R), such as tricking a user into viewing a crafted page or item, to trigger the malicious script execution. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial privileges, and user interaction, with a scope change (S:C) meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high (C:H/I:H), but availability is unaffected (A:N). Exploitation could lead to session hijacking, credential theft, unauthorized actions on behalf of users, or spreading malware within the affected environment. Although no public exploits are currently known, the vulnerability's presence in a critical industrial software suite used for process engineering and manufacturing workflow management makes it a significant threat. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

For European organizations, especially those in manufacturing, aerospace, automotive, and industrial engineering sectors that rely on Dassault Systèmes DELMIA products, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive process data, intellectual property theft, and manipulation of manufacturing workflows, potentially causing operational disruptions and financial losses. The confidentiality breach could expose proprietary designs and process parameters, while integrity compromises could result in altered workflows or corrupted data, undermining product quality and safety. Given the interconnected nature of industrial systems, an attacker leveraging this XSS flaw might pivot to other internal systems, increasing the attack surface. The requirement for user interaction means social engineering or phishing campaigns could be used to trigger the exploit, increasing the risk to employees and contractors. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score underscores the urgency. European organizations must consider the potential regulatory implications under GDPR if personal or sensitive data is compromised.

Organizations should immediately review user privileges within DELMIA Service Process Engineer to minimize the number of users with permissions to input or manage service items. Implement strict input validation and output encoding on all user-supplied data fields related to service items to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor logs and user activity for unusual input patterns or script execution attempts. Educate users about the risks of interacting with untrusted links or content within the DELMIA environment to reduce successful social engineering. Coordinate with Dassault Systèmes for timely patch deployment once available and test patches in controlled environments before production rollout. Consider network segmentation to isolate critical DELMIA components from broader enterprise networks to limit lateral movement. Use web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the affected modules. Finally, maintain up-to-date backups and incident response plans tailored to industrial software environments.