Skip to main content

Project Center

2 CVEs product

Monthly

CVE-2025-35051 CRITICAL Act Now

Remote code execution in Newforma Project Center Server (NPCS) 2024.3 allows unauthenticated attackers to execute arbitrary code with NT AUTHORITY\NetworkService privileges by sending malicious serialized .NET data to the '/ProjectCenter.rem' endpoint on TCP port 9003. The vulnerability stems from insecure deserialization of untrusted data on a network-exposed endpoint. While vendor architecture recommends internal-only deployment, the service accepts network connections without authentication (CVSS AV:N/PR:N), creating critical risk for organizations with exposed instances. CWE-306 (Missing Authentication) confirms the root cause as lack of authentication controls on a sensitive endpoint.

Authentication Bypass RCE Project Center
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2024-32499 MEDIUM This Month

Newforma Project Center Server through 2023.3.0.32259 allows remote code execution because .NET Remoting is exposed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Project Center
NVD
CVSS 3.1
4.9
EPSS
0.5%
EPSS 0% CVSS 9.2
CRITICAL Act Now

Remote code execution in Newforma Project Center Server (NPCS) 2024.3 allows unauthenticated attackers to execute arbitrary code with NT AUTHORITY\NetworkService privileges by sending malicious serialized .NET data to the '/ProjectCenter.rem' endpoint on TCP port 9003. The vulnerability stems from insecure deserialization of untrusted data on a network-exposed endpoint. While vendor architecture recommends internal-only deployment, the service accepts network connections without authentication (CVSS AV:N/PR:N), creating critical risk for organizations with exposed instances. CWE-306 (Missing Authentication) confirms the root cause as lack of authentication controls on a sensitive endpoint.

Authentication Bypass RCE Project Center
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Newforma Project Center Server through 2023.3.0.32259 allows remote code execution because .NET Remoting is exposed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Project Center
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy