CVE-2025-35051

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Newforma Project Center Server (NPCS) (affected versions not specified)

Description Newforma Project Center Server (NPCS) allows a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITYNetworkService' privileges. This is possible because the software accepts serialized .NET data via the /ProjectCenter.rem API endpoint on port 9003/tcp. The vulnerable endpoint is intended to be accessible only on an internal network according to the recommended architecture. The vulnerable parameter is the serialized .NET data sent to the /ProjectCenter.rem endpoint.

Recommendations Restrict network access to Newforma Project Center Server (NPCS).

Fix

RCE

Missing Authentication

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-502

Related Identifiers

CVE-2025-35051

Affected Products

Newforma Project Center Server

CVE-2025-35051

Weakness Enumeration

Related Identifiers

Affected Products

References · 10