CVE-2025-35052
📋 TL;DR
Newforma Info Exchange (NIX) uses a hard-coded encryption key for query parameters, allowing attackers to bypass authentication and authorization by manipulating encrypted parameters like 'qs' to download files. This affects NIX installations using vulnerable versions, particularly those with internet-facing download endpoints.
💻 Affected Systems
- Newforma Info Exchange (NIX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could download sensitive files from the system, potentially exposing confidential project data, credentials, or system files.
Likely Case
Attackers with some system knowledge could access files they shouldn't have permission to view, leading to data leakage of project documents or configuration files.
If Mitigated
With proper network segmentation and access controls, impact is limited to files accessible through the vulnerable endpoint only.
🎯 Exploit Status
Exploitation requires understanding of the encryption scheme and parameter manipulation, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NIX 2023.3 or 2024.1
Vendor Advisory: https://www.cve.org/CVERecord?id=CVE-2025-35052
Restart Required: No
Instructions:
1. Upgrade to NIX 2023.3 or 2024.1. 2. Apply vendor-provided patches if available. 3. Verify the fix by testing parameter encryption behavior.
🔧 Temporary Workarounds
Restrict Download Endpoint Access
allImplement network-level restrictions to limit access to the vulnerable '/DownloadWeb/download.aspx' endpoint.
# Example firewall rule (Windows): New-NetFirewallRule -DisplayName 'Block NIX Download' -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress 0.0.0.0/0 -Action Block -Program 'C:\Program Files\Newforma\NIX\...'
Implement WAF Rules
allConfigure web application firewall to block or sanitize the 'qs' parameter in download requests.
# Example ModSecurity rule: SecRule ARGS:qs "@rx encrypted_pattern" "id:1001,phase:2,deny,msg:'Block NIX CVE-2025-35052 exploit'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NIX servers from untrusted networks.
- Deploy application-level monitoring to detect unusual download patterns or parameter manipulation attempts.
🔍 How to Verify
Check if Vulnerable:
Test if manipulating the 'qs' parameter in '/DownloadWeb/download.aspx' requests allows unauthorized file downloads without proper authentication.Check Version:
Check NIX version in application interface or configuration files, typically in 'C:\Program Files\Newforma\NIX\version.txt' or similar location.Verify Fix Applied:
After patching, verify that encrypted parameters no longer work with the hard-coded key and that proper authentication is enforced for file downloads.📡 Detection & Monitoring
Log Indicators:
- Unusual download patterns from '/DownloadWeb/download.aspx'
- Requests with manipulated 'qs' parameter values
- Failed authentication attempts followed by successful downloads
Network Indicators:
- Unusual traffic patterns to download endpoints
- Requests with encrypted parameters from unexpected sources
SIEM Query:
source="nix_logs" AND (url="/DownloadWeb/download.aspx" AND (qs=* OR parameter_tampering=*))