CVE-2025-10557 is a stored Cross-site Scripting (XSS) vulnerability identified in the Issue Management module of Dassault Systèmes ENOVIA Collaborative Industry Innovator, spanning releases from 3DEXPERIENCE R2022x Golden through R2025x Golden. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing malicious script code to be stored on the server and executed in the context of other users’ browsers when they view the affected content. This stored XSS flaw enables attackers with limited privileges (PR:L) to inject arbitrary JavaScript that executes upon user interaction (UI:R), potentially hijacking user sessions, stealing authentication tokens, or performing unauthorized actions on behalf of the victim. The CVSS v3.1 base score of 8.7 reflects the vulnerability’s network attack vector (AV:N), low attack complexity (AC:L), and high impact on confidentiality and integrity (C:H/I:H), though availability remains unaffected (A:N). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. No public exploits are currently known, but the vulnerability’s nature and affected product’s widespread use in collaborative industrial innovation make it a significant risk. ENOVIA is widely deployed in sectors such as aerospace, automotive, and manufacturing, where sensitive intellectual property and design data are managed. Attackers exploiting this vulnerability could gain access to confidential design information or manipulate issue tracking data, potentially disrupting product development workflows. The vulnerability requires user interaction, typically the victim viewing or interacting with maliciously crafted issue entries. Since the flaw is in a collaborative platform, the risk of lateral movement and privilege escalation exists if attackers leverage stolen credentials or session tokens. The vulnerability was published on October 13, 2025, with no patches linked yet, emphasizing the need for immediate attention from affected organizations.

For European organizations, the impact of CVE-2025-10557 is significant due to the critical role ENOVIA plays in managing product lifecycle and collaborative innovation workflows. Confidentiality breaches could expose proprietary designs, trade secrets, and sensitive project data, leading to competitive disadvantages and intellectual property theft. Integrity compromises could result in unauthorized modifications to issue tracking data, causing workflow disruptions, erroneous decision-making, and potential safety risks in regulated industries. Although availability is not directly impacted, the indirect effects of compromised data integrity and confidentiality could lead to operational delays and reputational damage. Given the collaborative nature of ENOVIA, attackers might leverage this vulnerability to move laterally within networks, escalating privileges or accessing other critical systems. European manufacturers, particularly in aerospace, automotive, and high-tech sectors, are prime targets due to their reliance on ENOVIA for innovation and compliance with stringent regulatory requirements. The vulnerability also poses risks to supply chain security, as compromised ENOVIA instances could be used to infiltrate partner organizations. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score and ease of exploitation underscore the urgency for European entities to act swiftly.

1. Apply official patches from Dassault Systèmes immediately upon release to remediate the vulnerability. 2. Implement strict input validation and output encoding on all user-generated content within ENOVIA, especially in Issue Management, to prevent malicious script injection. 3. Enforce the principle of least privilege by restricting user permissions to only those necessary for their roles, minimizing the risk of malicious input submission. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting ENOVIA endpoints. 5. Conduct regular security awareness training for users to recognize phishing and social engineering attempts that could facilitate exploitation. 6. Monitor logs and network traffic for unusual activity indicative of XSS exploitation attempts or session hijacking. 7. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing ENOVIA. 8. Review and harden session management controls to reduce the impact of stolen session tokens. 9. Coordinate with supply chain partners to ensure they are aware of the vulnerability and mitigation steps, reducing risk of cross-organizational compromise. 10. Perform security assessments and penetration testing focused on web application vulnerabilities in ENOVIA environments.