CVE-2025-35061
📋 TL;DR
CVE-2025-35061 is an authentication relay vulnerability in Newforma Info Exchange (NIX) that allows unauthenticated attackers to force the system to make SMB connections to attacker-controlled servers. This enables capture of NTLMv2 hashes from the NIX service account, potentially leading to credential theft. Organizations running vulnerable NIX instances with internet-facing LegacyIntegrationServices.asmx endpoints are affected.
💻 Affected Systems
- Newforma Info Exchange (NIX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture service account NTLMv2 hash, crack it offline, gain authenticated access to NIX system, pivot to internal network resources, and potentially achieve domain compromise.
Likely Case
Attackers capture NTLMv2 hash, attempt offline cracking, and if successful, gain access to NIX system with service account privileges.
If Mitigated
With proper network segmentation and monitoring, attackers can only capture hashes but cannot successfully crack them or use them to access protected systems.
🎯 Exploit Status
Exploitation requires setting up an SMB server to capture NTLMv2 responses. No authentication needed to trigger the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Newforma vendor advisory for specific patched versions
Vendor Advisory: https://www.newforma.com/security-advisories/
Restart Required: No
Instructions:
1. Check Newforma security advisory for CVE-2025-35061. 2. Apply the recommended patch/update from Newforma. 3. Verify the LegacyIntegrationServices.asmx endpoint no longer makes unauthorized SMB connections.
🔧 Temporary Workarounds
Block external SMB connections
windowsPrevent NIX system from making outbound SMB connections to untrusted networks
Windows Firewall: New-NetFirewallRule -DisplayName 'Block NIX SMB Outbound' -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block
Group Policy: Configure outbound firewall rules to block TCP 445 to external networks
Restrict endpoint access
windowsLimit access to the vulnerable LegacyIntegrationServices.asmx endpoint
IIS: Add IP restrictions to /NPCSRemoteWeb/LegacyIntegrationServices.asmx
Web.config: <location path='NPCSRemoteWeb/LegacyIntegrationServices.asmx'> with appropriate authorization rules
🧯 If You Can't Patch
- Implement network segmentation to prevent NIX system from making outbound SMB connections to untrusted networks
- Monitor for outbound SMB connections from NIX systems to unknown IP addresses
- Use strong, complex passwords for NIX service account to make hash cracking difficult
- Consider disabling the LegacyIntegrationServices.asmx endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated requests to https://[nix-server]/NPCSRemoteWeb/LegacyIntegrationServices.asmx trigger outbound SMB connections. Monitor network traffic for SMB (TCP 445) connections from NIX server after accessing endpoint.Check Version:
Check NIX version through administrative interface or consult Newforma documentation for version identification methods.Verify Fix Applied:
After patching, verify that accessing the LegacyIntegrationServices.asmx endpoint no longer triggers outbound SMB connections. Test with network monitoring tools.📡 Detection & Monitoring
Log Indicators:
- IIS logs showing access to LegacyIntegrationServices.asmx from untrusted sources
- Windows event logs showing SMB client authentication attempts from NIX service account
Network Indicators:
- Outbound SMB (TCP 445) connections from NIX server to unknown external IPs
- NTLM authentication traffic from NIX server to unexpected destinations
SIEM Query:
source_ip=[NIX_SERVER] AND dest_port=445 AND protocol=TCP AND dest_ip NOT IN [trusted_networks]