CVE-2025-35050 – CVE-2025-35050 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2025-35050?

CVE-2025-35050 has a CVSS score of 9.8 (CRITICAL). CVE-2025-35050 is a critical remote code execution vulnerability in Newforma Info Exchange (NIX) that allows unauthenticated attackers to execute arbitrary code with NetworkService privileges by sending malicious .NET serialized data to the '/remoteweb/remote.rem' endpoint. This affects organizations using Newforma Project Center Server (NPCS) with NIX integration, potentially enabling attackers to compromise both systems. The vulnerability is particularly dangerous because it requires no authentication and has a high CVSS score of 9.8.

📋 TL;DR

CVE-2025-35050 is a critical remote code execution vulnerability in Newforma Info Exchange (NIX) that allows unauthenticated attackers to execute arbitrary code with NetworkService privileges by sending malicious .NET serialized data to the '/remoteweb/remote.rem' endpoint. This affects organizations using Newforma Project Center Server (NPCS) with NIX integration, potentially enabling attackers to compromise both systems. The vulnerability is particularly dangerous because it requires no authentication and has a high CVSS score of 9.8.

💻 Affected Systems

Products:

Newforma Info Exchange (NIX)
Newforma Project Center Server (NPCS)

Versions: All versions with the vulnerable '/remoteweb/remote.rem' endpoint

Operating Systems: Windows Server (IIS-based deployments)

Default Config Vulnerable: ⚠️ Yes

Notes: NPCS is vulnerable when connected to a compromised NIX system. The vulnerability exists in the NIX component but enables attacks on NPCS.

📦 What is this software?

Project Center by Newforma

View all CVEs affecting Project Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of both NIX and associated NPCS systems, leading to data theft, ransomware deployment, lateral movement within the network, and potential disruption of construction/engineering project workflows.

🟠

Likely Case

Initial foothold in the network via NIX system, privilege escalation to NetworkService, and subsequent compromise of connected NPCS systems for data exfiltration or further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint restrictions, potentially preventing exploitation entirely if the vulnerable endpoint is inaccessible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted .NET serialized data to a specific endpoint, which is relatively straightforward for attackers familiar with .NET deserialization attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.cve.org/CVERecord?id=CVE-2025-35050

Restart Required: No

Instructions:

No official patch available. Follow workarounds and mitigation steps below.

🔧 Temporary Workarounds

Restrict Access to Vulnerable Endpoint

windows

Use IIS URL Rewrite Module to block or restrict access to '/remoteweb/remote.rem' endpoint

Add URL rewrite rule in IIS to deny access to '/remoteweb/remote.rem'

Network Segmentation

all

Isolate NIX and NPCS systems from untrusted networks and implement strict firewall rules

Configure firewall to block external access to port 80/443 on NIX servers
Implement network segmentation between NIX and other systems

🧯 If You Can't Patch

Implement strict network access controls to prevent external access to NIX systems
Monitor network traffic to '/remoteweb/remote.rem' endpoint for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if '/remoteweb/remote.rem' endpoint is accessible on NIX servers and if Newforma software is installed

Check Version:

Check Newforma software version through administrative interface or installed programs list

Verify Fix Applied:

Verify that '/remoteweb/remote.rem' endpoint is no longer accessible or returns appropriate access denied responses

📡 Detection & Monitoring

Log Indicators:

IIS logs showing requests to '/remoteweb/remote.rem' with unusual payloads
Windows Event Logs showing NetworkService account performing unusual activities

Network Indicators:

HTTP POST requests to '/remoteweb/remote.rem' endpoint with serialized .NET data
Unusual outbound connections from NIX servers

SIEM Query:

source="IIS" AND url="/remoteweb/remote.rem" AND (method="POST" OR size>10000)

📊 Metadata

CVE ID: CVE-2025-35050

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.33% exploit probability (55th percentile)

Published: October 9, 2025

Last Updated: January 9, 2026

🔗 References

https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-the-url-rewrite-module Product
https://projectcenter.help.newforma.com/overviews/info_exchange_overview/ Product
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35050 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35050, you might also want to check these: