Skip to main content

Newforma Project Center CVE-2025-35051

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2025-10-09 9119a7d8-5eab-497f-8521-727c672e3725
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 26, 2026 - 19:15 vuln.today

DescriptionCVE.org

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

AnalysisAI

Remote code execution in Newforma Project Center Server (NPCS) 2024.3 allows unauthenticated attackers to execute arbitrary code with NT AUTHORITY\NetworkService privileges by sending malicious serialized .NET data to the '/ProjectCenter.rem' endpoint on TCP port 9003. The vulnerability stems from insecure deserialization of untrusted data on a network-exposed endpoint. While vendor architecture recommends internal-only deployment, the service accepts network connections without authentication (CVSS AV:N/PR:N), creating critical risk for organizations with exposed instances. CWE-306 (Missing Authentication) confirms the root cause as lack of authentication controls on a sensitive endpoint.

Technical ContextAI

The vulnerability affects Newforma Project Center Server version 2024.3 (CPE: cpe:2.3:a:newforma:project_center:2024.3), specifically the .NET Remoting endpoint accessible at '/ProjectCenter.rem' on TCP port 9003. .NET Remoting is a legacy inter-process communication framework that supports binary serialization of objects for remote method invocation. The endpoint accepts serialized .NET objects without authentication or input validation, enabling insecure deserialization attacks. The vulnerability is rooted in CWE-306 (Missing Authentication for Critical Function), where a security-critical endpoint that processes potentially dangerous serialized data lacks any form of authentication. When malicious serialized payloads are submitted, the .NET BinaryFormatter deserializes them, triggering arbitrary code execution in the context of the service account (NT AUTHORITY\NetworkService on Windows). This attack pattern is well-documented in .NET deserialization exploitation and is similar to vulnerabilities in other .NET Remoting implementations.

RemediationAI

IMMEDIATE: Implement network-level access controls to restrict TCP port 9003 access to only trusted internal networks and authenticated administrator workstations, using host-based firewall rules or network ACLs. This compensating control is explicitly recommended by the vendor and effectively reduces attack surface from AV:N to AV:A (adjacent network), though it does not fix the underlying authentication bypass. VENDOR PATCH STATUS: No vendor-released patch version is identified in available data. Organizations should monitor the Newforma support portal at https://projectcenter.help.newforma.com/ and the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json for patch availability and updated guidance. WORKAROUND TRADE-OFFS: Blocking port 9003 externally may impact legitimate remote administration workflows if they depend on this endpoint; verify alternative secure access methods (VPN, bastion hosts) are available before implementing. VERIFICATION: After implementing network restrictions, validate that port 9003 is not accessible from untrusted networks using external port scans and internal network segmentation testing.

Share

CVE-2025-35051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy