CVE-2025-10553
Published: 31 March 2026
Summary
CVE-2025-10553 is a high-severity Cross-site Scripting (CWE-79) vulnerability in 3Ds 3Dexperience. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the stored XSS flaw in DELMIA Factory Resource Manager.
Prevents low-privileged attackers from injecting malicious scripts into Factory Resource Management by validating all user inputs prior to storage.
Blocks execution of stored malicious scripts in victims' browser sessions by filtering and encoding tainted outputs from the affected component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in the victim's browser session and facilitates session hijacking via scope change to victim privileges.
NVD Description
A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Deeper analysisAI
CVE-2025-10553 is a Stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, affecting the Factory Resource Management component in DELMIA Factory Resource Manager. The issue impacts releases from 3DEXPERIENCE R2023x through 3DEXPERIENCE R2025x. It allows an attacker to execute arbitrary script code within a user's browser session. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.
Exploitation requires an attacker to possess low privileges (PR:L) within the affected system. The attacker can inject a malicious script payload that persists and executes when a victim user with browser access interacts with the tainted resource (UI:R), such as viewing it over the network (AV:N). Due to the scope change to cross-origin (S:C), successful exploitation grants the script the privileges of the victim's session, enabling high-impact theft of sensitive data or manipulation of the application (C:H/I:H) without affecting availability (A:N).
The vendor's security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10553 provides details on mitigation and patching guidance for this vulnerability.
Details
- CWE(s)