CVE-2025-35062 – Newforma Info Exchange (NIX) before version 202... (How to Fix)

Q: What is the severity of CVE-2025-35062?

CVE-2025-35062 has a CVSS score of 5.3 (MEDIUM). Newforma Info Exchange (NIX) before version 2023.1 has a default configuration that allows anonymous authentication. This enables unauthenticated attackers to exploit other vulnerabilities that would normally require authentication. Organizations using NIX versions before 2023.1 are affected.

📋 TL;DR

Newforma Info Exchange (NIX) before version 2023.1 has a default configuration that allows anonymous authentication. This enables unauthenticated attackers to exploit other vulnerabilities that would normally require authentication. Organizations using NIX versions before 2023.1 are affected.

💻 Affected Systems

Products:

Newforma Info Exchange (NIX)

Versions: All versions before 2023.1

Operating Systems: Windows Server (primary deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in default configurations where anonymous authentication is enabled by default.

📦 What is this software?

Project Center by Newforma

View all CVEs affecting Project Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could chain this vulnerability with other authenticated vulnerabilities to gain unauthorized access, potentially leading to data theft, system compromise, or disruption of services.

🟠

Likely Case

Attackers could exploit this to bypass authentication requirements for other vulnerabilities, potentially accessing sensitive project data or system information.

🟢

If Mitigated

With proper authentication controls and updated software, the risk is significantly reduced to unauthorized access attempts being blocked.

🌐 Internet-Facing: HIGH - Internet-facing NIX instances are directly accessible to attackers who can exploit this without credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, but network segmentation provides some protection.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

This vulnerability enables exploitation of other vulnerabilities but is not directly exploitable on its own. Attackers need to chain it with other vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.1 or later

Vendor Advisory: https://www.cve.org/CVERecord?id=CVE-2025-35062

Restart Required: No

Instructions:

1. Upgrade Newforma Info Exchange to version 2023.1 or later. 2. Verify that anonymous authentication is disabled in the updated configuration. 3. Test application functionality after upgrade.

🔧 Temporary Workarounds

Disable Anonymous Authentication

all

Manually disable anonymous authentication in NIX configuration to prevent unauthenticated access.

Navigate to NIX administration console > Security Settings > Authentication > Disable 'Allow Anonymous Access'

Network Access Controls

all

Implement network segmentation and firewall rules to restrict access to NIX servers.

Configure firewall to allow NIX access only from trusted IP ranges

🧯 If You Can't Patch

Implement strict network segmentation to isolate NIX servers from untrusted networks
Enable detailed logging and monitoring for authentication attempts and access patterns

🔍 How to Verify

Check if Vulnerable:

Check NIX version in administration console. If version is below 2023.1, the system is vulnerable. Also verify if anonymous authentication is enabled in security settings.

Check Version:

Check NIX administration console > System Information > Version

Verify Fix Applied:

After upgrade to 2023.1+, verify version in administration console and confirm anonymous authentication is disabled in security settings.

📡 Detection & Monitoring

Log Indicators:

Anonymous authentication attempts
Failed authentication attempts from unexpected sources
Access to authenticated-only endpoints without credentials

Network Indicators:

Unusual traffic patterns to NIX authentication endpoints
Requests to NIX without authentication headers

SIEM Query:

source="NIX" AND (event_type="authentication" AND user="anonymous") OR (status="success" AND auth_method="none")

📊 Metadata

CVE ID: CVE-2025-35062

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-276

EPSS Score: 0.16% exploit probability (36.3th percentile)

Published: October 9, 2025

Last Updated: October 22, 2025

🔗 References

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35062 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35062, you might also want to check these: