CVE-2024-32499 is a medium-severity vulnerability affecting Newforma Project Center Server versions up to 2023.3.0.32259. The root cause is improper control of code generation (CWE-94), specifically due to the exposure of .NET Remoting interfaces. .NET Remoting is a legacy Microsoft framework that allows inter-process communication and remote method invocation. When exposed improperly, it can allow an attacker to send maliciously crafted requests that result in arbitrary code execution on the server. This vulnerability enables remote code execution (RCE) without requiring user interaction, but it does require low-level privileges (PR:L) and has a high attack complexity (AC:H), indicating that exploitation is not trivial but feasible under certain conditions. The CVSS 3.1 base score is 4.9, reflecting limited confidentiality and integrity impact (both low), no impact on availability, and a scope change (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises because the server exposes .NET Remoting endpoints that can be manipulated to inject and execute arbitrary code, which could lead to unauthorized access, data manipulation, or lateral movement within the affected environment. Given the nature of the product—Project Center Server, which is used for project information management in architecture, engineering, and construction sectors—the exposure of such a vulnerability could compromise sensitive project data and workflows.

For European organizations, the impact of CVE-2024-32499 could be significant, especially for those in the architecture, engineering, and construction (AEC) industries that rely on Newforma Project Center Server for project collaboration and document management. Successful exploitation could lead to unauthorized code execution on critical project management servers, potentially resulting in data breaches, manipulation of project documentation, disruption of project workflows, and exposure of intellectual property. Although the vulnerability does not directly impact availability, the integrity and confidentiality of project data could be compromised, affecting contractual obligations and regulatory compliance (e.g., GDPR). The medium CVSS score and the requirement for low privileges and high attack complexity suggest that while exploitation is not trivial, motivated attackers with some access could leverage this vulnerability to escalate privileges or move laterally within networks. This risk is heightened in environments where network segmentation or endpoint protections are weak. Additionally, the scope change indicates that the vulnerability could affect other components or systems beyond the Project Center Server itself, increasing potential damage.

Given the absence of an official patch at the time of this report, European organizations should implement the following specific mitigations: 1) Immediately restrict network access to the Newforma Project Center Server, especially blocking inbound traffic to the .NET Remoting ports (commonly TCP 808 or custom ports) from untrusted networks. 2) Employ network segmentation to isolate the Project Center Server from general user networks and limit administrative access to trusted personnel only. 3) Monitor network traffic for unusual or malformed .NET Remoting requests indicative of exploitation attempts. 4) Review and harden server configurations to disable or limit .NET Remoting exposure if possible, or apply application-level controls to validate and sanitize incoming remote calls. 5) Enforce strict access controls and multi-factor authentication for accounts with low privileges that could be leveraged in exploitation. 6) Prepare incident response plans specific to this vulnerability, including forensic readiness to detect and respond to potential RCE attempts. 7) Engage with Newforma support channels to obtain patches or workarounds as soon as they become available and prioritize timely application of updates. 8) Conduct internal audits to identify all instances of Project Center Server deployments to ensure comprehensive coverage of mitigation efforts.