CVE-2025-35053 – CVE-2025-35053 allows authenticated users in Ne... (How to Fix)

Q: What is the severity of CVE-2025-35053?

CVE-2025-35053 has a CVSS score of 6.4 (MEDIUM). CVE-2025-35053 allows authenticated users in Newforma Info Exchange (NIX) to read and delete arbitrary files with NetworkService privileges via the '/UserWeb/Common/MarkupServices.ashx' endpoint. Combined with CVE-2025-35062 (anonymous access enabled by default), this can be exploited by unauthenticated attackers. Organizations using Newforma Info Exchange before version 2023.1 are affected.

📋 TL;DR

CVE-2025-35053 allows authenticated users in Newforma Info Exchange (NIX) to read and delete arbitrary files with NetworkService privileges via the '/UserWeb/Common/MarkupServices.ashx' endpoint. Combined with CVE-2025-35062 (anonymous access enabled by default), this can be exploited by unauthenticated attackers. Organizations using Newforma Info Exchange before version 2023.1 are affected.

💻 Affected Systems

Products:

Newforma Info Exchange (NIX)

Versions: All versions before 2023.1

Operating Systems: Windows Server (where NIX is deployed)

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration with anonymous access enabled (CVE-2025-35062) makes exploitation trivial for unauthenticated attackers.

📦 What is this software?

Project Center by Newforma

View all CVEs affecting Project Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file deletion leading to service disruption, or reading sensitive files containing credentials/configurations enabling lateral movement.

🟠

Likely Case

Unauthenticated attackers reading configuration files, deleting critical application files causing service disruption, or accessing sensitive project data.

🟢

If Mitigated

Limited to authenticated users only, restricting impact to authorized personnel with malicious intent.

🌐 Internet-Facing: HIGH - When combined with CVE-2025-35062, internet-facing instances are vulnerable to unauthenticated exploitation.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable but require network access and potentially authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP POST requests to the vulnerable endpoint. When combined with CVE-2025-35062, no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.1 or later

Vendor Advisory: https://www.newforma.com/security-advisories/

Restart Required: Yes

Instructions:

1. Upgrade Newforma Info Exchange to version 2023.1 or later. 2. Apply all security patches from Newforma. 3. Restart the NIX service after upgrade.

🔧 Temporary Workarounds

Disable Anonymous Access

all

Disable anonymous authentication in NIX configuration to prevent unauthenticated exploitation via CVE-2025-35062.

Configure NIX authentication settings to require valid user credentials for all access.

Block Vulnerable Endpoint

windows

Use web application firewall or IIS URL rewrite rules to block access to '/UserWeb/Common/MarkupServices.ashx'.

Add URL rewrite rule in IIS to block requests to MarkupServices.ashx

🧯 If You Can't Patch

Implement strict network segmentation to isolate NIX servers from untrusted networks
Enable detailed logging and monitoring for suspicious access to the MarkupServices.ashx endpoint

🔍 How to Verify

Check if Vulnerable:

Check NIX version via administrative interface. If version is below 2023.1, system is vulnerable.

Check Version:

Check NIX web interface admin panel or consult Newforma documentation for version verification.

Verify Fix Applied:

Confirm NIX version is 2023.1 or later and test that anonymous users cannot access the MarkupServices.ashx endpoint.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to '/UserWeb/Common/MarkupServices.ashx' with 'DownloadExportedPDF' parameter
File deletion or access events from NetworkService account to unexpected paths

Network Indicators:

Unusual HTTP traffic patterns to the MarkupServices.ashx endpoint
Multiple failed authentication attempts followed by successful access to the endpoint

SIEM Query:

source="iis" AND cs_uri_stem="/UserWeb/Common/MarkupServices.ashx" AND cs_method="POST" AND cs_uri_query CONTAINS "DownloadExportedPDF"

📊 Metadata

CVE ID: CVE-2025-35053

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

CWE: CWE-22

EPSS Score: 0.06% exploit probability (19.8th percentile)

Published: October 9, 2025

Last Updated: October 22, 2025

🔗 References

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35053 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35062 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35053, you might also want to check these: