EUVD-2025-209135
GHSA-8pjm-jgvr-53w9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Tags
Description
A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.
Analysis
Path traversal in DELMIA Factory Resource Manager (3DEXPERIENCE R2023x through R2025x) allows authenticated remote attackers to read sensitive files and write files to specific server directories. The vulnerability affects the Factory Resource Management component and requires low-privilege authentication (CVSS PR:L) with low attack complexity. EPSS data not available; no public exploit identified at time of analysis. This represents a significant data exposure risk in industrial manufacturing environments using Dassault Systèmes' 3DEXPERIENCE platform.
Technical Context
DELMIA Factory Resource Manager is a component of Dassault Systèmes' 3DEXPERIENCE platform used for manufacturing resource planning and factory simulation. The vulnerability is a CWE-22 path traversal flaw, where insufficient input validation allows attackers to manipulate file paths using directory traversal sequences (e.g., '../') to access files outside intended directories. The affected CPE (cpe:2.3:a:dassault_systèmes:delmia_factory_resource_manager) indicates this is a server-side component accessible over the network. Path traversal vulnerabilities typically occur when user-supplied input is concatenated into file system operations without proper sanitization, canonicalization, or whitelist validation. In this case, the Factory Resource Management module fails to restrict file operations to safe directories, enabling both read and write access to server filesystem locations that should be protected.
Affected Products
Dassault Systèmes DELMIA Factory Resource Manager component within 3DEXPERIENCE platform Release R2023x through Release R2025x is affected (CPE: cpe:2.3:a:dassault_systèmes:delmia_factory_resource_manager:*:*:*:*:*:*:*:*). This includes all minor versions and updates within the R2023x, R2024x, and R2025x release families. Organizations running any 3DEXPERIENCE deployment with the Factory Resource Management module enabled should consider themselves potentially affected. Consult the vendor security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559 for complete product version confirmation and platform-specific details.
Remediation
Apply vendor-released security updates from Dassault Systèmes as documented in their official security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559. The advisory should specify patched versions for each affected 3DEXPERIENCE release family (R2023x, R2024x, R2025x). Until patches can be deployed, implement network-level access controls to restrict Factory Resource Manager access to trusted users and IP ranges only. Review and audit user privilege assignments to ensure principle of least privilege, as the vulnerability requires authenticated access. Monitor file system access logs for unusual traversal patterns or access to sensitive directories. Consider disabling the Factory Resource Management component if not actively required for operations. Organizations should prioritize patching systems that handle proprietary manufacturing data or connect to production networks.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today