Newforma Project Center CVE-2025-35051
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.
AnalysisAI
Remote code execution in Newforma Project Center Server (NPCS) 2024.3 allows unauthenticated attackers to execute arbitrary code with NT AUTHORITY\NetworkService privileges by sending malicious serialized .NET data to the '/ProjectCenter.rem' endpoint on TCP port 9003. The vulnerability stems from insecure deserialization of untrusted data on a network-exposed endpoint. While vendor architecture recommends internal-only deployment, the service accepts network connections without authentication (CVSS AV:N/PR:N), creating critical risk for organizations with exposed instances. CWE-306 (Missing Authentication) confirms the root cause as lack of authentication controls on a sensitive endpoint.
Technical ContextAI
The vulnerability affects Newforma Project Center Server version 2024.3 (CPE: cpe:2.3:a:newforma:project_center:2024.3), specifically the .NET Remoting endpoint accessible at '/ProjectCenter.rem' on TCP port 9003. .NET Remoting is a legacy inter-process communication framework that supports binary serialization of objects for remote method invocation. The endpoint accepts serialized .NET objects without authentication or input validation, enabling insecure deserialization attacks. The vulnerability is rooted in CWE-306 (Missing Authentication for Critical Function), where a security-critical endpoint that processes potentially dangerous serialized data lacks any form of authentication. When malicious serialized payloads are submitted, the .NET BinaryFormatter deserializes them, triggering arbitrary code execution in the context of the service account (NT AUTHORITY\NetworkService on Windows). This attack pattern is well-documented in .NET deserialization exploitation and is similar to vulnerabilities in other .NET Remoting implementations.
RemediationAI
IMMEDIATE: Implement network-level access controls to restrict TCP port 9003 access to only trusted internal networks and authenticated administrator workstations, using host-based firewall rules or network ACLs. This compensating control is explicitly recommended by the vendor and effectively reduces attack surface from AV:N to AV:A (adjacent network), though it does not fix the underlying authentication bypass. VENDOR PATCH STATUS: No vendor-released patch version is identified in available data. Organizations should monitor the Newforma support portal at https://projectcenter.help.newforma.com/ and the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json for patch availability and updated guidance. WORKAROUND TRADE-OFFS: Blocking port 9003 externally may impact legitimate remote administration workflows if they depend on this endpoint; verify alternative secure access methods (VPN, bastion hosts) are available before implementing. VERIFICATION: After implementing network restrictions, validate that port 9003 is not accessible from untrusted networks using external port scans and internal network segmentation testing.
More in Project Center
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today