Warning: Multiple vulnerabilities in in Newforma Info Exchange and Newforma Project Center Server, Mitigate Immediately!

    * Last update:  13/10/2025
   
    * Affected software: Newforma Info Exchange (NIX) and Newforma Project Center Server (NPCS)
 
    * Type:
        → CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
        → CWE-294 Authentication Bypass by Capture-replay
        → CWE-306 Missing Authentication for Critical Function
        → CWE-434 Unrestricted Upload of File with Dangerous Type
        → CWE-502 Deserialization of Untrusted Data

 
    * CVE/CVSS
        → CVE-2025-35050: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
        → CVE-2025-35051: CVSS 7.7 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/MAV:A)
        → CVE-2025-35055: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
        → CVE-2025-35058: CVSS 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
        → CVE-2025-35061: CVSS 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

Sources

 
Github-CISA: https://github.com/cisagov/CSAF/blob/develop/csaf_files/IT/white/2025/va-25-282-01.json
 

Risks

Multiple vulnerabilities in NIS and NPCS server could allow attackers to gain full control of affected devices. A malicious actor can compromise a (NIX) server to deploy ransomware. A compromised NIX server can also be used to further infect other interconnected systems for example a Newforma Project Center Server (NPCS) which commonly used in such a setup. This vulnerability leads to a high risk of internal information being accessed by unauthorized persons, which has a high impact on the confidentiality, integrity and availability of the data stored on that server.

Description

CVE-2025-35050 is a critical-severity vulnerability in NIX '/remoteweb/remote.rem' endpoint that allows unauthenticated remote code execution with ‘'NT AUTHORITY\NetworkService' privileges. The vulnerable endpoint is used by Newforma Project Center Server (NPCS), so a compromised NIX system can be used to attack an associated NPCS system.

CVE-2025-35051 is a high-severity vulnerability in NPCS '/ProjectCenter.rem' endpoint port 9003 that allows unauthenticated remote code execution with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network.

CVE-2025-35055 is a high-severity vulnerability in NIX '/UserWeb/Common/UploadBlueimp.ashx' that allows authenticated attackers to upload arbitrary files to any location writeable by the NIX application. This vulnerability can be chained together with CVE-2025-35062 allow to attackers to authenticate as anonymous and exploit this file upload vulnerability. Specifics of this vulnerability exist in Newforma before 2023.1.

CVE-2025-35058 is a high severity vulnerability in NIX '/UserWeb/Common/MarkupServices.ashx' that allows remote unauthenticated attackers to cause NIX to make a SMB connection to an attacker-controlled system. Exploiting this allows the attacker to capture the NTLMv2 hash of the customer-configured NIX service account.

CVE-2025-35061 is a high-severity vulnerability in NIX '/NPCSRemoteWeb/LegacyIntegrationServices.asmx' that allows remote unauthenticated attackers to cause NIX to make a SBM connection to an attacker-controlled system. Exploiting this allows the attacker to capture the NTLMv2 hash of the user-configured NIX service account.

Several medium-severity vulnerabilities are listed below:

• CVE-2025-35052: CVSS 6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)
• CVE-2025-35053: CVSS 6.1 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:L)
• CVE-2025-35054: CVSS 4.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N)
• CVE-2025-35056: CVSS 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N)
• CVE-2025-35057: CVSS 6.0 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
• CVE-2025-35059: CVSS 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N)
• CVE-2025-35060: CVSS 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N)
• CVE-2025-35062: CVSS 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)

Recommended Actions

 
Mitigate 

The Centre for Cybersecurity Belgium strongly recommends to mitigate this vulnerability by restricting network access to vulnerable endpoints on the NIX and NPCS server by for example using the IIS URL Rewrite Module. For more information on how to mitigate specific vulnerabilities check NVD. Vulnerabilities that do not have a patch should be mitigated by reducing the attack surface of that vulnerable device.
 
Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version or implementing specific mitigations may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

NIST:

• https://nvd.nist.gov/vuln/detail/CVE-2025-35050
• https://nvd.nist.gov/vuln/detail/CVE-2025-35051
• https://nvd.nist.gov/vuln/detail/CVE-2025-35052
• https://nvd.nist.gov/vuln/detail/CVE-2025-35053
• https://nvd.nist.gov/vuln/detail/CVE-2025-35054
• https://nvd.nist.gov/vuln/detail/CVE-2025-35055
• https://nvd.nist.gov/vuln/detail/CVE-2025-35056
• https://nvd.nist.gov/vuln/detail/CVE-2025-35057
• https://nvd.nist.gov/vuln/detail/CVE-2025-35058
• https://nvd.nist.gov/vuln/detail/CVE-2025-35059
• https://nvd.nist.gov/vuln/detail/CVE-2025-35060
• https://nvd.nist.gov/vuln/detail/CVE-2025-35061
• https://nvd.nist.gov/vuln/detail/CVE-2025-35062
  CyberHub: https://www.cyberhub.blog/cves/CVE-2025-35050
  Newforma: https://projectcenter.help.newforma.com/overviews/info_exchange_overview/