CVE-2025-4990 is a high-severity stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Change Governance component of Dassault Systèmes' Product Manager software. This vulnerability exists in multiple releases of the 3DEXPERIENCE platform, specifically from R2022x Golden through R2025x Golden. Stored XSS occurs when malicious script code is injected and permanently stored on the target server, later executed in the browsers of users who access the affected content. In this case, an attacker can exploit improper input neutralization during web page generation to inject arbitrary JavaScript code. The vulnerability requires the attacker to have low privileges (PR:L) and user interaction (UI:R) to trigger the exploit, but no complex attack conditions or high attack complexity are needed (AC:L). The vulnerability has a CVSS 3.1 score of 8.7, indicating a high impact on confidentiality and integrity, with no impact on availability. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, potentially allowing privilege escalation or data leakage across security boundaries. Exploiting this vulnerability could allow an attacker to hijack user sessions, steal sensitive information, perform actions on behalf of the user, or deliver further malware payloads. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant risk for organizations using the affected versions of Product Manager. The lack of published patches at the time of disclosure necessitates immediate attention to mitigation strategies.

For European organizations, the impact of CVE-2025-4990 can be substantial, especially those relying on Dassault Systèmes' 3DEXPERIENCE platform for product lifecycle management and change governance. The vulnerability could lead to unauthorized access to sensitive intellectual property, design documents, and change management workflows, potentially resulting in industrial espionage, data breaches, and operational disruptions. Given the collaborative nature of Product Manager, exploited XSS could facilitate lateral movement within corporate networks or compromise multiple users simultaneously. This risk is heightened in sectors such as aerospace, automotive, manufacturing, and engineering, where Dassault Systèmes products are widely used and where data confidentiality and integrity are critical. Additionally, regulatory compliance frameworks in Europe, such as GDPR, impose strict data protection requirements; a breach resulting from this vulnerability could lead to significant legal and financial penalties. The vulnerability's ability to affect confidentiality and integrity without impacting availability means that attacks might remain stealthy and undetected for extended periods, increasing potential damage.

Given the absence of official patches at the time of disclosure, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the Change Governance module to trusted users only and enforcing the principle of least privilege to minimize the number of users with write permissions capable of injecting malicious scripts. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the Product Manager interface. 3) Conducting thorough input validation and output encoding on any custom integrations or extensions interacting with the Product Manager to prevent injection of malicious scripts. 4) Enhancing user awareness and training to recognize suspicious behaviors and avoid interacting with untrusted links or content within the platform. 5) Monitoring logs and user activity for anomalies indicative of XSS exploitation attempts. 6) Preparing for rapid deployment of official patches once released by Dassault Systèmes and testing updates in controlled environments before production rollout. 7) Considering network segmentation to isolate critical Product Manager instances from broader corporate networks to limit lateral movement in case of compromise.