CVE-2025-35058
📋 TL;DR
CVE-2025-35058 is an authentication bypass vulnerability in Newforma Info Exchange (NIX) that allows unauthenticated remote attackers to force the NIX service to make SMB connections to attacker-controlled systems. This enables capture of NTLMv2 hashes from the NIX service account, potentially leading to credential theft and lateral movement. Organizations running vulnerable versions of NIX are affected.
💻 Affected Systems
- Newforma Info Exchange (NIX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture service account NTLMv2 hash, crack it offline, gain authenticated access to NIX and potentially other systems using the same credentials, leading to data theft, system compromise, and lateral movement across the network.
Likely Case
Attackers capture the NTLMv2 hash and attempt offline cracking; if successful, they gain access to the NIX system and potentially other resources where the service account has permissions.
If Mitigated
With proper network segmentation, strong password policies, and monitoring, impact is limited to potential service account hash exposure without successful lateral movement.
🎯 Exploit Status
Exploitation requires the attacker to set up a malicious SMB server and trigger the vulnerable endpoint, which is straightforward for attackers with basic knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Newforma vendor advisory for specific patched version
Vendor Advisory: https://www.newforma.com/security-advisories/ (check for specific advisory)
Restart Required: No
Instructions:
1. Check Newforma security advisory for CVE-2025-35058. 2. Download and apply the latest patch from Newforma. 3. Verify the patch is applied by checking version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Block External SMB Access
allPrevent NIX from making outbound SMB connections to external/untrusted networks
Use firewall rules to block outbound SMB (TCP 445) from NIX server to internet
Restrict Access to Vulnerable Endpoint
allLimit access to '/UserWeb/Common/MarkupServices.ashx' using web application firewall or network controls
Configure WAF to block requests to /UserWeb/Common/MarkupServices.ashx from untrusted sources
🧯 If You Can't Patch
- Implement network segmentation to isolate NIX server and restrict outbound SMB connections
- Change NIX service account password to a strong, unique password and monitor for authentication attempts
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated requests to https://[nix-server]/UserWeb/Common/MarkupServices.ashx trigger outbound SMB connections (monitor network traffic on port 445)Check Version:
Check NIX version through administrative interface or consult Newforma documentationVerify Fix Applied:
After patching, verify that the same endpoint no longer makes unauthorized SMB connections when accessed without authentication📡 Detection & Monitoring
Log Indicators:
- Unusual authentication failures for NIX service account
- Access logs showing requests to /UserWeb/Common/MarkupServices.ashx from unexpected sources
Network Indicators:
- Outbound SMB (TCP 445) connections from NIX server to unfamiliar IP addresses
- NTLM authentication attempts from NIX server to external systems
SIEM Query:
source_ip="NIX_SERVER_IP" AND dest_port=445 AND protocol="SMB"