Description
A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.
Published: 2026-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server File Access and Modification
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in the Factory Resource Management component of DELMIA Factory Resource Manager enables an attacker to read or write files in designated directories on the server. The vulnerability, identified as a CWE-22 weakness, could allow an adversary to exfiltrate sensitive data or modify configuration files, thereby compromising the confidentiality and integrity of the system. It does not directly lead to remote code execution, but the ability to alter files could facilitate subsequent attacks if malicious code is injected.

Affected Systems

Dassault Systèmes DELMIA Factory Resource Manager versions released under 3DEXPERIENCE R2023x through R2025x are affected. Users of any of these releases should verify their environment for presence of the flaw.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity, while an EPSS score of less than 1% suggests low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Based on the component description, the likely attack vector is remote access via the software’s web interface; however, this is inferred rather than directly stated in the advisory.

Generated by OpenCVE AI on April 6, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑provided patch for DELMIA Factory Resource Manager that addresses the path traversal flaw.
  • If a patch is unavailable, upgrade the system to a release beyond 3DEXPERIENCE R2025x or a version on the vendor’s security‑patched list.
  • Restrict permissions on the affected directories so that only authorized processes and users can write to them.
  • Configure the web server to disallow traversal characters in incoming requests, using URL filtering or regex rules.
  • Monitor logs for attempted traversal patterns and investigate any anomalies promptly.

Generated by OpenCVE AI on April 6, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared 3ds
3ds 3dexperience
CPEs cpe:2.3:o:3ds:3dexperience:*:*:*:*:*:*:*:*
Vendors & Products 3ds
3ds 3dexperience

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Dassault Systèmes
Dassault Systèmes delmia Factory Resource Manager
Vendors & Products Dassault Systèmes
Dassault Systèmes delmia Factory Resource Manager

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.
Title Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

3ds 3dexperience
Dassault Systèmes Delmia Factory Resource Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: 3DS

Published:

Updated: 2026-03-31T18:04:37.440Z

Reserved: 2025-09-16T12:56:50.206Z

Link: CVE-2025-10559

cve-icon Vulnrichment

Updated: 2026-03-31T15:04:14.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:21.970

Modified: 2026-04-06T15:17:19.867

Link: CVE-2025-10559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:08Z

Weaknesses