CVE-2025-33077 is a high-severity vulnerability identified in IBM Engineering Systems Design Rhapsody versions 9.0.2, 10.0, and 10.0.1. The vulnerability is classified as a stack-based buffer overflow, stemming from improper restriction of operations within the bounds of a memory buffer (CWE-119). Specifically, the software fails to adequately check the bounds of data written to a stack buffer, allowing a local user to overflow the buffer. This overflow can lead to arbitrary code execution on the affected system with the privileges of the local user. The vulnerability requires local access and does not require user interaction, but it has a low attack complexity and no need for additional privileges beyond local user rights. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, as successful exploitation could allow an attacker to execute malicious code, potentially leading to full system compromise or disruption of critical engineering design processes. No known public exploits are reported yet, and no patches have been published at the time of this analysis. The vulnerability affects a specialized engineering design tool widely used in systems engineering and embedded software development, which often runs on workstations within enterprise environments.

For European organizations, especially those involved in aerospace, automotive, defense, and industrial automation sectors, this vulnerability poses a significant risk. IBM Engineering Systems Design Rhapsody is commonly used for model-driven development and systems engineering, often integral to the design and verification of safety-critical systems. Exploitation could lead to unauthorized code execution on engineering workstations, potentially compromising intellectual property, disrupting development workflows, or enabling lateral movement within corporate networks. Given the high confidentiality and integrity impact, sensitive design data could be stolen or manipulated, affecting product safety and compliance with European regulatory standards such as GDPR and industry-specific certifications. Availability impact could also disrupt project timelines and operational continuity. The local access requirement limits remote exploitation but insider threats or compromised endpoints could leverage this vulnerability to escalate privileges or implant persistent threats.

Organizations should immediately inventory their use of IBM Engineering Systems Design Rhapsody to identify affected versions (9.0.2, 10.0, 10.0.1). Until an official patch is released, implement strict access controls to limit local user access to systems running the vulnerable software. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor for anomalous behavior indicative of exploitation attempts. Enforce the principle of least privilege, ensuring users operate with minimal necessary rights. Network segmentation should isolate engineering workstations from general user networks to reduce lateral movement risk. Regularly back up critical engineering data and verify integrity to enable recovery from potential compromise. Monitor IBM security advisories closely for patch releases and apply updates promptly. Additionally, conduct user training to raise awareness about the risks of local exploitation and insider threats.