CVE-2025-35057
📋 TL;DR
This vulnerability in Newforma Info Exchange (NIX) allows remote, unauthenticated attackers to force the NIX server to initiate SMB connections to attacker-controlled systems. This enables credential theft by capturing NTLMv2 hashes of the NIX service account. Organizations running vulnerable NIX instances are affected.
💻 Affected Systems
- Newforma Info Exchange
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture service account NTLMv2 hash, perform pass-the-hash attacks to gain unauthorized access to network resources, potentially leading to lateral movement and domain compromise.
Likely Case
Attackers capture NTLMv2 hash of NIX service account, potentially using it for limited unauthorized access to SMB shares or other resources accessible to that account.
If Mitigated
With proper network segmentation and credential protection, impact is limited to potential disclosure of service account hash without ability to leverage it for further access.
🎯 Exploit Status
Exploitation requires attacker to control an SMB server and lure NIX to connect to it via the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE details
Vendor Advisory: https://www.cve.org/CVERecord?id=CVE-2025-35057
Restart Required: No
Instructions:
1. Contact Newforma for patch information. 2. Apply vendor-provided security update. 3. Verify endpoint no longer initiates unauthorized SMB connections.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound SMB connections from NIX server to only trusted internal systems
Configure firewall rules to block outbound SMB (TCP 445) from NIX server to untrusted networks
Endpoint Restriction
allRestrict access to vulnerable endpoint to trusted IP addresses only
Configure web server/IP restrictions for '/RemoteWeb/IntegrationServices.ashx' endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to prevent NIX server from making outbound SMB connections to untrusted networks
- Monitor for outbound SMB connections from NIX server to unknown IP addresses
🔍 How to Verify
Check if Vulnerable:
Test if '/RemoteWeb/IntegrationServices.ashx' endpoint can be triggered to initiate SMB connections to external systemsCheck Version:
Check NIX version through administrative interface or contact vendorVerify Fix Applied:
Verify endpoint no longer initiates SMB connections when triggered with malicious payloads📡 Detection & Monitoring
Log Indicators:
- Unusual outbound SMB connections from NIX server
- Access attempts to '/RemoteWeb/IntegrationServices.ashx' from untrusted sources
Network Indicators:
- Outbound SMB (TCP 445) connections from NIX server to unknown external IPs
- NTLM authentication attempts from NIX service account to untrusted systems
SIEM Query:
source_ip=NIX_server AND dest_port=445 AND dest_ip NOT IN (trusted_networks)