CVE-2026-7858 Dassault Systèmes CVE debrief

Who should care

Organizations running affected Dassault Systèmes collaboration platforms, particularly those with internet-accessible instances. Security teams responsible for engineering software supply chains and product lifecycle management (PLM) environments should prioritize assessment and patching.

Technical summary

The vulnerability exists in the deserialization handling within Teamwork Cloud (No Magic Release 2022x through 2026x) and Magic Collaboration Studio (CATIA Magic Release 2022x through 2026x). An attacker can send crafted serialized data to the application without authentication, triggering insecure deserialization that leads to arbitrary code execution on the target system. The attack requires no user interaction and can be executed over the network with minimal complexity.

Defensive priority

critical

Recommended defensive actions

• Apply security patches from Dassault Systèmes as they become available per the vendor security advisory
• Restrict network access to Teamwork Cloud and Magic Collaboration Studio instances to authorized users and trusted networks
• Monitor deserialization-related network traffic and application logs for anomalous activity
• Review and update incident response procedures given the unauthenticated remote exploitation potential
• Validate that security controls such as WAFs or application firewalls can detect and block deserialization attack patterns
• Prioritize patching for internet-facing deployments of affected products

Evidence notes

CVE published and modified 2026-06-01. Vendor reference from [email protected] confirms affected product ranges and CWE-502 classification. NVD status: Awaiting Analysis. Vendor identification inferred from reference domain (3ds.com) with low confidence; requires review.

Official resources