CVE-2025-35052 identifies a vulnerability in Newforma Project Center, specifically in the Newforma Info Exchange (NIX) component, where a hard-coded cryptographic key is used to encrypt certain query parameters. These parameters, such as the 'qs' parameter in the '/DownloadWeb/download.aspx' endpoint, can specify file paths for downloads. Because the encryption key is hard-coded and shared across all NIX installations, an attacker who obtains or reverse-engineers this key can decrypt or forge encrypted parameters. This enables bypassing authentication and authorization mechanisms, potentially allowing unauthorized users to download arbitrary files from the system. The vulnerability affects all versions up to and including 2024.3. Newforma versions 2023.3 and 2024.1 have introduced limitations on the use of hard-coded keys, reducing exposure. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact without integrity or availability impact. No known exploits are currently reported in the wild. The vulnerability stems from CWE-321, which concerns the use of hard-coded cryptographic keys that undermine encryption effectiveness. Because the key is shared across installations, compromise of one instance can lead to attacks on others. The flaw primarily impacts confidentiality by exposing files that should be protected by access controls. The attack surface includes any externally accessible NIX download endpoints that accept encrypted query parameters. Mitigation involves eliminating hard-coded keys, implementing per-installation unique keys, and enforcing strict access controls on download functionality.

For European organizations, this vulnerability poses a risk of unauthorized data disclosure, particularly sensitive project files managed within Newforma Project Center. Confidentiality breaches could lead to exposure of proprietary designs, contracts, or personal data, potentially violating GDPR requirements and damaging business reputation. The ability to bypass authentication remotely without user interaction increases the likelihood of automated exploitation attempts. Organizations in sectors such as construction, engineering, and architecture, which commonly use Newforma products for project management, are at higher risk. The shared key across installations means that a single key compromise could affect multiple organizations, amplifying the threat. While the vulnerability does not impact data integrity or system availability, the confidentiality loss alone can have significant operational and regulatory consequences. European companies relying on affected versions should consider the potential for targeted attacks, especially given the strategic importance of infrastructure and construction projects in the region.

1. Upgrade to Newforma Project Center versions 2023.3 or 2024.1 or later, which limit or eliminate the use of hard-coded cryptographic keys. 2. If upgrading is not immediately possible, restrict network access to the '/DownloadWeb/download.aspx' endpoint using firewalls or web application firewalls (WAFs) to limit exposure to trusted users and IP ranges. 3. Implement monitoring and alerting for unusual access patterns or repeated failed attempts to access encrypted parameters. 4. Conduct code reviews and penetration testing focused on cryptographic implementations and access controls within Newforma deployments. 5. Employ network segmentation to isolate project management systems from general user networks and the internet. 6. Enforce strict authentication and authorization policies on all file download mechanisms, ensuring that parameter manipulation cannot bypass controls. 7. Educate administrators and users about the risks of using outdated software versions and the importance of timely patching. 8. Consider additional encryption or data protection layers at rest and in transit to mitigate potential data exposure.