### Critical Vulnerability Information - **CVE ID**: CVE-2025-35050 - **Release Date**: 2025-10-09 - **Update Date**: 2025-10-09 - **Title**: Newforma Info Exchange (NIX) .NET Unauthorized Deserialization - **Description**: - Newforma Info Exchange (NIX) accepts serialized .NET data via the `/remoteweb/remote.rem` endpoint, allowing remote, unauthenticated attackers to execute arbitrary code with NT AUTHORITY/NetworkService privileges. - The vulnerable endpoint is used by Newforma Project Center Server (NPCS), meaning compromised NIX systems can be leveraged to attack associated NPCS systems. - Mitigation: Restrict network access to the `/remoteweb/remote.rem` endpoint, for example, using the IIS URL Rewrite module. - **CWE**: - CWE-502: Deserialization of Untrusted Data - CWE-306: Missing Authentication for Critical Function - **CVSS**: - CVSS v4.0: 9.3 (Critical) - CVSS v3.1: 9.8 (Critical) - **Affected Products**: - Vendor: Newforma - Product: Project Center - Affected Versions: *.affected.txt * - **Reference Links**: - projectcenter.help.newforma.com - learn.microsoft.com - raw.githubusercontent.com - cve.org