CVE-2025-9976 identifies a critical OS Command Injection vulnerability (CWE-78) in the Station Launcher App component of Dassault Systèmes' 3DEXPERIENCE platform, spanning releases R2022x through R2025x. The vulnerability stems from improper neutralization of special characters in OS commands, allowing an attacker to inject and execute arbitrary commands on the underlying operating system. Exploitation requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R), but no complex authentication barriers exist. The vulnerability affects the confidentiality, integrity, and availability of the affected systems, as arbitrary code execution can lead to data theft, system manipulation, or denial of service. The CVSS v3.1 score of 9.0 reflects the high impact and relatively low complexity of exploitation. Although no public exploits are currently known, the widespread use of 3DEXPERIENCE in industrial design, manufacturing, and engineering sectors makes this vulnerability highly significant. The Station Launcher App is a critical component that facilitates launching and managing 3DEXPERIENCE sessions, thus its compromise could lead to extensive operational disruption. The vulnerability’s scope includes multiple recent releases, indicating a long window of exposure. The improper input validation or sanitization in command construction is the root cause, which attackers could leverage by tricking users into executing malicious commands or through crafted inputs within the application environment. This vulnerability demands urgent attention from organizations using the affected software to prevent potential breaches.

For European organizations, particularly those in aerospace, automotive, industrial manufacturing, and engineering sectors that heavily rely on Dassault Systèmes' 3DEXPERIENCE platform, this vulnerability poses a critical risk. Successful exploitation could lead to unauthorized code execution on user machines, resulting in data breaches, intellectual property theft, sabotage of design and manufacturing processes, and disruption of critical operations. The compromise of the Station Launcher App could also facilitate lateral movement within corporate networks, escalating the impact. Given the platform’s integration in product lifecycle management (PLM), the integrity of design data and operational continuity is at stake. The potential for widespread operational disruption could affect supply chains and production lines, with significant financial and reputational damage. The requirement for user interaction and limited privileges reduces the likelihood of automated mass exploitation but does not eliminate targeted attacks, especially spear-phishing or social engineering campaigns. The absence of known exploits in the wild currently provides a window for proactive defense, but the critical severity demands immediate mitigation to avoid future attacks.

1. Monitor Dassault Systèmes’ official channels for patches addressing CVE-2025-9976 and apply them immediately upon release. 2. Until patches are available, restrict user privileges on machines running the Station Launcher App to the minimum necessary, reducing the potential impact of exploitation. 3. Implement application whitelisting and endpoint detection and response (EDR) solutions to detect and block suspicious command executions related to the launcher app. 4. Educate users about the risks of social engineering and the importance of cautious interaction with prompts or inputs that could trigger command injection. 5. Conduct regular audits of the Station Launcher App configurations and logs to identify anomalous behavior or unauthorized command execution attempts. 6. Segment networks to limit lateral movement if a machine is compromised via this vulnerability. 7. Employ input validation and sanitization best practices in any custom integrations or scripts interacting with the Station Launcher App to prevent injection vectors. 8. Collaborate with Dassault Systèmes support for guidance and potential workarounds until official patches are available.