CVE-2025-35051 is a critical vulnerability identified in Newforma Project Center Server (NPCS), a project information management software widely used in architecture, engineering, and construction industries. The vulnerability stems from unsafe deserialization of untrusted .NET serialized data submitted to the '/ProjectCenter.rem' endpoint, which listens on TCP port 9003. Deserialization vulnerabilities (CWE-502) occur when applications deserialize data from untrusted sources without sufficient validation, enabling attackers to craft malicious payloads that execute arbitrary code during the deserialization process. In this case, an unauthenticated remote attacker can send specially crafted serialized data to NPCS and achieve remote code execution with the privileges of the 'NT AUTHORITY\NetworkService' account, which typically has significant system-level permissions. The vulnerability affects all versions of NPCS, including the latest 2024.3 release. The recommended architecture assumes this endpoint is only accessible on internal networks, which limits exposure but does not eliminate risk, especially in environments with inadequate network segmentation or where internal threats exist. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature due to network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the severity and ease of exploitation make it a high priority for remediation. The vulnerability also relates to CWE-306 (missing authentication), indicating that the endpoint does not require authentication, further increasing risk. Organizations should monitor network traffic on port 9003 for suspicious activity and prepare to deploy patches once Newforma releases them.

For European organizations, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of project management data and potentially broader IT infrastructure. Successful exploitation could allow attackers to execute arbitrary code on NPCS servers, leading to data theft, manipulation of project information, disruption of business operations, and potential lateral movement within internal networks. Given NPCS's role in managing sensitive project data, including design documents, contracts, and schedules, compromise could result in intellectual property loss and contractual breaches. The internal network exposure assumption may not hold in all environments, especially with increased remote work and VPN usage, increasing the attack surface. Additionally, the 'NT AUTHORITY\NetworkService' privileges provide substantial access, potentially allowing attackers to install malware, create backdoors, or pivot to other critical systems. The lack of known public exploits suggests a window for proactive mitigation, but the critical CVSS score demands immediate attention. European organizations in construction, engineering, and architecture sectors using NPCS should consider this vulnerability a top priority to avoid operational and reputational damage.

1. Immediately restrict network access to the NPCS server's TCP port 9003 endpoint to trusted internal hosts only, using firewalls, VLAN segmentation, or access control lists. 2. Implement strict network segmentation to isolate NPCS servers from general user networks and external access, including VPNs and remote desktop gateways. 3. Monitor network traffic on port 9003 for anomalous or unexpected serialized .NET data submissions, leveraging intrusion detection/prevention systems with custom signatures if possible. 4. Enforce strict authentication and authorization controls around NPCS access, even if the vulnerable endpoint itself lacks authentication, to reduce lateral movement risk. 5. Engage with Newforma support to obtain and apply security patches or updates addressing this vulnerability as soon as they become available. 6. Conduct internal audits to identify any NPCS instances exposed beyond intended internal networks and remediate exposure. 7. Educate IT and security teams about the risks of deserialization vulnerabilities and the importance of network controls in mitigating them. 8. Prepare incident response plans specifically for potential exploitation scenarios involving NPCS compromise.