CVE-2025-9976 is an OS Command Injection vulnerability classified under CWE-78, affecting the Station Launcher App component of Dassault Systèmes' 3DEXPERIENCE platform from releases R2022x through R2025x. The vulnerability arises from improper neutralization of special characters in OS commands, allowing an attacker to inject and execute arbitrary commands on the underlying operating system. Exploitation requires the attacker to have limited privileges (PR:L) and necessitates user interaction (UI:R), such as convincing a user to perform an action that triggers the vulnerable command execution. The vulnerability has a CVSS v3.1 base score of 9.0, indicating critical severity with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, potentially allowing system-wide compromise. Although no known exploits are reported in the wild, the vulnerability's nature and severity make it a high-risk threat. The 3DEXPERIENCE platform is widely used in industries requiring complex product lifecycle management (PLM), including aerospace, automotive, and manufacturing, where the Station Launcher App is a critical component for launching and managing software sessions. Attackers exploiting this vulnerability could gain arbitrary code execution on user machines, leading to data theft, sabotage, or lateral movement within networks.

For European organizations, the impact of CVE-2025-9976 is significant due to the widespread adoption of Dassault Systèmes' 3DEXPERIENCE platform in key industrial sectors such as automotive, aerospace, manufacturing, and engineering. Successful exploitation could lead to full system compromise of user machines running the Station Launcher App, resulting in unauthorized access to sensitive intellectual property, disruption of engineering workflows, and potential sabotage of product development processes. The compromise of such systems could also facilitate lateral movement within corporate networks, increasing the risk of broader enterprise-wide breaches. Given the critical nature of the vulnerability and the high CVSS score, the potential for operational downtime, financial loss, and reputational damage is substantial. Additionally, the requirement for user interaction means phishing or social engineering attacks could be leveraged, increasing the attack surface. European organizations operating in sectors with high regulatory oversight and intellectual property sensitivity are particularly vulnerable to the confidentiality and integrity impacts of this vulnerability.

Organizations should immediately prepare to apply patches from Dassault Systèmes once they become available, as no official patch links were provided at the time of this report. In the interim, implement strict input validation and sanitization on any user-supplied data that interacts with the Station Launcher App to reduce injection risks. Restrict user privileges to the minimum necessary to operate the platform, limiting the ability of attackers to execute commands with elevated rights. Educate users about the risks of social engineering and phishing attacks that could trigger the vulnerability. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious command execution attempts. Network segmentation should be enforced to contain potential lateral movement from compromised machines. Regularly audit and monitor logs for unusual activities related to the Station Launcher App. Coordinate with Dassault Systèmes support channels for updates and advisories. Finally, consider implementing multi-factor authentication and enhanced access controls around critical PLM systems to reduce exploitation likelihood.