Cyber Resilience

CVE-2025-10559

High

Published: 31 March 2026

Published
31 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0027 18.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-10559 is a high-severity Path Traversal (CWE-22) vulnerability in 3Ds 3Dexperience. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10559 is a Path Traversal vulnerability (CWE-22) in the Factory Resource Management component of DELMIA Factory Resource Manager, affecting releases from 3DEXPERIENCE R2023x through 3DEXPERIENCE R2025x. Published on 2026-03-31, it has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). The flaw enables an attacker to read or write files in specific directories on the affected server.

An attacker with low privileges, such as an authenticated user with network access to the system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact unauthorized access to read sensitive files (confidentiality) and limited ability to modify files (integrity) in designated server directories, while availability remains unaffected.

The vendor's security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559 details recommended mitigations and available patches for addressing this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in network-accessible Factory Resource Manager component directly enables exploitation of public-facing apps (T1190) for unauthorized local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10551Same product: 3Ds 3Dexperience
CVE-2025-10553Same product: 3Ds 3Dexperience
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22

Affected Assets

3ds
3dexperience
r2023x — r2025x

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal vulnerability in Factory Resource Management through identification, patching, and verification as detailed in the vendor advisory.

prevent

Validates file path inputs to Factory Resource Management to block directory traversal sequences like '../' that enable unauthorized file access.

prevent

Enforces approved access authorizations on server directories to restrict low-privilege users from reading or writing sensitive files despite path traversal attempts.

References