How to fix EUVD-2025-209134?

Within 24 hours: Identify and inventory all DELMIA Factory Resource Manager deployments across R2023x-R2025x versions in use; verify current version and document affected systems. Within 7 days: Implement strict input validation and output encoding on all user-controllable fields in DELMIA, restrict administrative access to trusted personnel only, and enable audit logging for all data modifications. Within 30 days: Contact Dassault Systèmes support to confirm patch availability and timeline; prioritize upgrade to the first patched release when available; conduct security awareness training for users on phishing and social engineering tactics that could lead to account compromise.

EUVD-2025-209134

| CVE-2025-10553 HIGH

2026-03-31 3DS

GHSA-2g4m-9v5x-mfwr

8.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 31, 2026 - 09:15 vuln.today

EUVD ID Assigned

Mar 31, 2026 - 09:15 euvd

EUVD-2025-209134

CVE Published

Mar 31, 2026 - 08:41 nvd

HIGH 8.7

Description

A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

Analysis

Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.

Technical Context

This vulnerability affects the Factory Resource Management module within Dassault Systèmes' DELMIA Factory Resource Manager, part of the 3DEXPERIENCE platform spanning releases R2023x through R2025x. The flaw represents a CWE-79 Improper Neutralization of Input During Web Page Generation, commonly known as cross-site scripting. Stored XSS occurs when user-supplied data is saved on the server (in a database, file system, or other persistent storage) without proper sanitization and later rendered in web pages without adequate output encoding. In enterprise PLM/manufacturing execution systems like DELMIA, stored XSS can persist in shared resources, project configurations, or collaboration features that multiple users access, creating a vector for privilege escalation and data exfiltration across the manufacturing planning environment. The changed scope indicator (S:C) in the CVSS vector suggests the vulnerability allows attackers to affect resources beyond the vulnerable component's security scope, potentially impacting adjacent 3DEXPERIENCE platform modules or session contexts.

Affected Products

Dassault Systèmes DELMIA Factory Resource Manager is affected across multiple releases of the 3DEXPERIENCE platform, specifically from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x inclusive. The vulnerability resides in the Factory Resource Management component used for managing manufacturing resources, production planning, and factory floor operations. The CPE identifier cpe:2.3:a:dassault_systèmes:delmia_factory_resource_manager:*:*:*:*:*:*:*:* encompasses all affected versions. Organizations running any release version within the R2023x, R2024x, or R2025x product families should consider their deployments vulnerable. Dassault Systèmes' official security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10553 provides authoritative confirmation of affected versions and deployment configurations.

Remediation

Organizations should immediately consult Dassault Systèmes' official security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10553 for vendor-specific remediation guidance and patch availability for their specific 3DEXPERIENCE release version. While the provided intelligence does not specify exact patched versions, Dassault Systèmes typically releases security fixes through service pack updates or hotfixes for supported releases. Contact Dassault Systèmes support to obtain the appropriate patch for your R2023x, R2024x, or R2025x deployment. As interim risk mitigation measures pending patch deployment, implement strict input validation on all Factory Resource Management data entry points, apply Content Security Policy headers to limit script execution, review and sanitize existing stored content that may contain injected scripts, restrict Factory Resource Management access to trusted users only, educate users about suspicious content or unexpected behavior in the interface, and monitor web application logs for XSS attack patterns. Organizations should prioritize patching for internet-facing or widely accessible DELMIA deployments where the attack surface is greatest.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

EUVD-2025-209134 vulnerability details – vuln.today

Back

EUVD-2025-209134

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-209134

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code