PT-2025-41468 · Newforma · Newforma Info Exchange

Adam Merrill

Published

2025-10-09

Updated

2025-10-22

CVE-2025-35052

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Newforma Info Exchange (NIX) versions 2023.3 and 2024.1

Description Newforma Info Exchange (NIX) utilizes a hard-coded key for encrypting query parameters. Certain encrypted parameter values can define file paths for download, potentially circumventing authentication and authorization mechanisms. The /DownloadWeb/download.aspx endpoint is affected, specifically the qs parameter. The shared hard-coded key is consistent across different NIX installations.

Recommendations Newforma Info Exchange version 2023.3 limits the use of hard-coded keys. Newforma Info Exchange version 2024.1 limits the use of hard-coded keys.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-321

Related Identifiers

CVE-2025-35052

Affected Products

Newforma Info Exchange

PT-2025-41468 · Newforma · Newforma Info Exchange

CVE-2025-35052

Weakness Enumeration

Related Identifiers

Affected Products

References · 7