CVE-2025-35052 identifies a cryptographic weakness in Newforma Project Center's Info Exchange (NIX) component, specifically the use of a hard-coded cryptographic key (CWE-321) to encrypt certain query parameters. The key is embedded in the software and shared across all NIX installations, which significantly weakens the security model. Attackers who obtain this key can decrypt encrypted query parameters, such as the 'qs' parameter used in the /DownloadWeb/download.aspx endpoint, which controls file download paths. By manipulating these parameters, an attacker can bypass authentication and authorization mechanisms to download arbitrary files from the server. This vulnerability affects all versions up to and including 2024.3. Newforma has introduced mitigations in versions 2023.3 and 2024.1 that limit the use of hard-coded keys, but the vulnerability remains in earlier versions. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates that the vulnerability is remotely exploitable without authentication or user interaction, with limited confidentiality impact and no impact on integrity or availability. No public exploits have been reported yet, but the shared key nature makes exploitation feasible for attackers with network access. The vulnerability highlights poor cryptographic practices by embedding static keys, which undermines the confidentiality of sensitive parameters and can lead to unauthorized data disclosure.

For European organizations using Newforma Project Center, this vulnerability poses a risk of unauthorized data disclosure through file download bypass. Confidentiality is impacted as attackers can access files without proper authorization, potentially exposing sensitive project data, intellectual property, or personal information. Although integrity and availability are not directly affected, the breach of confidentiality can have regulatory and reputational consequences, especially under GDPR and other data protection laws. Organizations in sectors such as construction, engineering, and architecture—where Newforma Project Center is commonly used—may face operational disruptions and compliance risks. The ease of exploitation (no authentication or user interaction required) increases the threat level, particularly for externally accessible instances. The shared nature of the cryptographic key means that compromise of one installation could facilitate attacks against others, amplifying the risk across multiple organizations. Given the medium CVSS score, the impact is moderate but significant enough to warrant prompt remediation to prevent data leaks and unauthorized access.

European organizations should immediately assess their use of Newforma Project Center and identify affected versions (all versions up to 2024.3). The primary mitigation is to upgrade to versions 2023.3 or later, where the use of hard-coded cryptographic keys is limited or eliminated. If upgrading is not immediately feasible, organizations should implement compensating controls such as restricting network access to the NIX component, especially the /DownloadWeb/download.aspx endpoint, to trusted internal networks only. Deploy web application firewalls (WAFs) with rules to detect and block suspicious query parameter manipulations. Conduct thorough access control reviews to ensure that file download permissions are strictly enforced at the application and filesystem levels. Monitor logs for unusual download activity or repeated access attempts to sensitive files. Additionally, organizations should consider cryptographic key rotation policies and avoid reliance on static keys in custom integrations. Security awareness training for administrators and developers on secure cryptographic practices is recommended to prevent recurrence.