CVE-2025-10559

High

Published: 31 March 2026

Published

31 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0007 21.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10559 is a high-severity Path Traversal (CWE-22) vulnerability in 3Ds 3Dexperience. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the path traversal vulnerability in Factory Resource Management through identification, patching, and verification as detailed in the vendor advisory.

SI-10 Information Input Validation good match

prevent

Validates file path inputs to Factory Resource Management to block directory traversal sequences like '../' that enable unauthorized file access.

AC-3 Access Enforcement partial match

prevent

Enforces approved access authorizations on server directories to restrict low-privilege users from reading or writing sensitive files despite path traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal in network-accessible Factory Resource Manager component directly enables exploitation of public-facing apps (T1190) for unauthorized local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.

Deeper analysisAI

CVE-2025-10559 is a Path Traversal vulnerability (CWE-22) in the Factory Resource Management component of DELMIA Factory Resource Manager, affecting releases from 3DEXPERIENCE R2023x through 3DEXPERIENCE R2025x. Published on 2026-03-31, it has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). The flaw enables an attacker to read or write files in specific directories on the affected server.

An attacker with low privileges, such as an authenticated user with network access to the system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact unauthorized access to read sensitive files (confidentiality) and limited ability to modify files (integrity) in designated server directories, while availability remains unaffected.

The vendor's security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559 details recommended mitigations and available patches for addressing this issue.