CVE-2025-10553: High Vulnerability in 3ds 3DEXPERIENCE

CVE-2025-10553 is a stored cross-site scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x. This vulnerability allows attackers to execute arbitrary script code in a user's browser session. With a CVSS score of 8.7, this high-severity vulnerability poses a significant risk to organizations utilizing affected versions of the software. The potential for exploitation is high, making this a crucial concern for security teams.

Organizations should prioritize patching immediately. The vulnerability requires user interaction to exploit, but once executed, it could lead to significant confidentiality and integrity impacts. The attack vector is network-based, enabling remote attackers to target vulnerable installations through crafted web content.

Given the nature of the vulnerability, it is crucial for organizations to assess their exposure and implement necessary mitigations. The urgency is compounded by the fact that there is currently no public exploit available, but the potential for future exploitation remains a concern.

As this vulnerability has been analyzed, organizations using DELMIA Factory Resource Manager should check their installed versions and apply the necessary updates. This proactive measure will help mitigate the risks associated with CVE-2025-10553.

Vulnerability Details

The official description of CVE-2025-10553 highlights its classification as a stored cross-site scripting vulnerability. The CVSS score of 8.7 indicates a high severity level, primarily due to the impacts on confidentiality and integrity. The vendor of the affected product is 3ds, specifically targeting the 3DEXPERIENCE software, with the vulnerability disclosed on March 31, 2026.

The CWE classification for this vulnerability is CWE-79, which signifies improper neutralization of input during web page generation. It is crucial for organizations to understand this classification to effectively implement security measures.

Technical Analysis

The root cause of CVE-2025-10553 lies in the failure to adequately sanitize user input before rendering it on web pages. This oversight allows attackers to inject malicious scripts, which can execute in the context of the user's session. The attack vector is network-based, requiring an attacker to send specially-crafted requests to the vulnerable application.

Attack complexity is classified as low, meaning that the exploitation does not require sophisticated techniques. The privileges required for exploitation are low, as the attack can be initiated by an unauthenticated user. User interaction is required, as victims must be tricked into visiting a malicious link or page.

The impacts of this vulnerability include high confidentiality and integrity risks, as sensitive data may be accessed or modified by unauthorized parties. Availability impact is not applicable, as the vulnerability does not disrupt service but rather compromises data integrity.

Risk & Impact Analysis

Risk to organizations includes potential unauthorized access to sensitive information and manipulation of user sessions, which could lead to further attacks or data breaches. The blast radius of this vulnerability can be extensive, particularly in environments where multiple users interact with the application.

Organizations should assess their deployment risk based on the CVSS score of 8.7 and the fact that it is not currently listed in the KEV catalog. This vulnerability should be addressed in the priority patch cycle to mitigate immediate risks.

The EPSS score of 0.00037 indicates a very low probability of exploitation, but this should not lead to complacency. Security teams must remain vigilant and proactive in monitoring for potential threats.

Exploitation Status

Affected Versions

The affected versions of DELMIA Factory Resource Manager are from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x. Organizations should ensure they are running patched versions to mitigate the risk posed by this vulnerability.

Mitigation & Remediation

Organizations should prioritize applying patches provided by 3ds for the affected versions of 3DEXPERIENCE. If patches are not available, organizations may consider implementing additional input validation measures and employing web application firewalls to help mitigate risks associated with this vulnerability.

For further details on security assessments, organizations can refer to application security assessment services to improve their overall security posture.

Detection Guidance

To detect potential exploitation of CVE-2025-10553, organizations should monitor for unusual user behavior, such as unexpected script execution in user sessions. Logging of user input and output can also aid in identifying attempts to exploit this vulnerability.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing risks associated with web applications and the necessity for continuous security assessments. Organizations should reevaluate their security strategies and ensure they are prepared to respond to emerging threats. Implementing penetration testing services can provide insights into vulnerabilities before they are exploited.

The trend of cross-site scripting vulnerabilities remains prevalent across various platforms. To combat this, security teams should focus on enhancing their input validation processes and educating users about the risks of interacting with untrusted content. Resources such as penetration testing methodology can significantly improve an organization's defense mechanisms.

In conclusion, CVE-2025-10553 serves as a reminder of the importance of proactive security measures and the need for constant vigilance in the face of evolving cyber threats. Organizations should take immediate steps to mitigate this vulnerability and safeguard their digital assets.