CVE-2025-10558 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in the 3DSearch feature of Dassault Systèmes' 3DSwymer product, part of the 3DEXPERIENCE platform Release R2025x Golden. Stored XSS occurs when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, an attacker with limited privileges (PR:L) can inject arbitrary JavaScript code into the 3DSearch component, which is then executed in the context of other users who view the affected content. The vulnerability requires user interaction (UI:R), such as clicking a malicious link or viewing a compromised page, and has a scope change (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and no impact on availability (A:N), but high impact on confidentiality (C:H) and integrity (I:H). This means attackers can potentially steal sensitive data, hijack sessions, or perform actions on behalf of users. Although no public exploits are currently known, the high CVSS score and nature of stored XSS make this a critical concern for organizations using this software. The lack of a patch link suggests that mitigation or updates may still be pending or need to be obtained directly from Dassault Systèmes.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of sensitive data processed or stored within the 3DSwymer platform. Given Dassault Systèmes' strong presence in aerospace, automotive, and industrial manufacturing sectors across Europe, exploitation could lead to unauthorized access to intellectual property, user credentials, and session tokens. This could facilitate further attacks such as privilege escalation, data exfiltration, or disruption of business operations through compromised user accounts. The vulnerability's stored nature means that once malicious scripts are injected, they can affect multiple users over time, increasing the potential damage. Organizations relying on 3DEXPERIENCE for product lifecycle management or collaborative design are particularly vulnerable, as attackers could manipulate or steal proprietary design data. Additionally, the requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the attack surface. The absence of known exploits currently provides a window for proactive mitigation, but the high severity demands urgent attention.

European organizations should immediately audit their use of Dassault Systèmes 3DSwymer, specifically the 3DSearch component in Release 3DEXPERIENCE R2025x Golden. They should contact Dassault Systèmes for official patches or updates addressing CVE-2025-10558. In the interim, implement strict input validation and output encoding on all user-supplied data within the 3DSearch feature to prevent malicious script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to reduce the risk of social engineering attacks that could trigger the vulnerability. Monitor logs for unusual activity related to 3DSearch inputs and user sessions. Consider isolating or restricting access to the vulnerable component until a patch is applied. Additionally, review and harden authentication and session management controls to limit the impact of any potential session hijacking. Regularly scan the environment with web application security tools to detect any stored XSS payloads.