CVE-2025-10557 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, present in the Issue Management functionality of Dassault Systèmes ENOVIA Collaborative Industry Innovator, specifically in releases from 3DEXPERIENCE R2022x Golden through R2025x Golden. Stored XSS occurs when malicious script code is injected and permanently stored on the target server, later executed in the browsers of users who access the affected content. In this case, an attacker with at least limited privileges (PR:L) and requiring user interaction (UI:R) can inject arbitrary JavaScript code into the Issue Management interface. When other users view the compromised data, the malicious script executes within their browser session, potentially allowing the attacker to hijack user sessions, steal sensitive information, perform unauthorized actions, or pivot to further attacks within the enterprise environment. The vulnerability has a CVSS v3.1 base score of 8.7, reflecting its high impact on confidentiality and integrity, with no impact on availability. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the initially vulnerable component. Although no public exploits are known yet, the vulnerability's presence in widely used ENOVIA releases and the critical nature of the data managed by ENOVIA (product lifecycle, design collaboration) make it a significant threat. The vulnerability is remotely exploitable over the network without requiring elevated privileges but does require user interaction, such as viewing a maliciously crafted issue entry. No official patches were listed at the time of publication, so organizations must monitor vendor advisories closely.

For European organizations, especially those in aerospace, automotive, manufacturing, and industrial design sectors that rely heavily on Dassault Systèmes ENOVIA for collaborative innovation and product lifecycle management, this vulnerability poses a serious risk. Exploitation could lead to unauthorized disclosure of sensitive intellectual property, design documents, and project data, undermining confidentiality. Attackers could also manipulate issue tracking data, affecting data integrity and potentially disrupting workflows. The ability to hijack user sessions may allow lateral movement within corporate networks, increasing the risk of broader compromise. Given the collaborative nature of ENOVIA, multiple users and departments could be affected, amplifying the impact. The vulnerability's network-exploitable nature means attackers can target organizations remotely, increasing exposure. The lack of known exploits currently provides a window for proactive defense, but the high CVSS score indicates that once exploited, damage could be severe.

1. Monitor Dassault Systèmes advisories and apply official patches immediately upon release to remediate the vulnerability. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the Issue Management module to prevent script injection and execution. 3. Restrict user privileges to the minimum necessary, limiting who can create or edit issues to reduce attack surface. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting ENOVIA endpoints. 5. Conduct regular security awareness training for users to recognize suspicious links or content that could trigger malicious scripts. 6. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing ENOVIA. 7. Monitor application logs and user activity for anomalies indicative of exploitation attempts. 8. Segment the network to isolate ENOVIA servers and limit lateral movement opportunities if compromise occurs. 9. Consider deploying endpoint detection and response (EDR) solutions to detect malicious behaviors resulting from XSS exploitation.