Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.
AnalysisAI
Path traversal in DELMIA Factory Resource Manager (3DEXPERIENCE R2023x through R2025x) allows authenticated remote attackers to read sensitive files and write files to specific server directories. The vulnerability affects the Factory Resource Management component and requires low-privilege authentication (CVSS PR:L) with low attack complexity. EPSS data not available; no public exploit identified at time of analysis. This represents a significant data exposure risk in industrial manufacturing environments using Dassault Systèmes' 3DEXPERIENCE platform.
Technical ContextAI
DELMIA Factory Resource Manager is a component of Dassault Systèmes' 3DEXPERIENCE platform used for manufacturing resource planning and factory simulation. The vulnerability is a CWE-22 path traversal flaw, where insufficient input validation allows attackers to manipulate file paths using directory traversal sequences (e.g., '../') to access files outside intended directories. The affected CPE (cpe:2.3:a:dassault_systèmes:delmia_factory_resource_manager) indicates this is a server-side component accessible over the network. Path traversal vulnerabilities typically occur when user-supplied input is concatenated into file system operations without proper sanitization, canonicalization, or whitelist validation. In this case, the Factory Resource Management module fails to restrict file operations to safe directories, enabling both read and write access to server filesystem locations that should be protected.
RemediationAI
Apply vendor-released security updates from Dassault Systèmes as documented in their official security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559. The advisory should specify patched versions for each affected 3DEXPERIENCE release family (R2023x, R2024x, R2025x). Until patches can be deployed, implement network-level access controls to restrict Factory Resource Manager access to trusted users and IP ranges only. Review and audit user privilege assignments to ensure principle of least privilege, as the vulnerability requires authenticated access. Monitor file system access logs for unusual traversal patterns or access to sensitive directories. Consider disabling the Factory Resource Management component if not actively required for operations. Organizations should prioritize patching systems that handle proprietary manufacturing data or connect to production networks.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209135
GHSA-8pjm-jgvr-53w9