CVE-2025-35053 is a path traversal vulnerability affecting Newforma Project Center, a project information management software widely used in architecture, engineering, and construction industries. The vulnerability exists in the handling of requests to the '/UserWeb/Common/MarkupServices.ashx' endpoint, specifically when processing the 'DownloadExportedPDF' command. An authenticated user can exploit this flaw to read and delete arbitrary files on the server with the privileges of the 'NT AUTHORITY\NetworkService' account, which is a highly privileged local service account on Windows systems. This improper limitation of pathname to a restricted directory (CWE-22) combined with improper file operation handling (CWE-73) allows attackers to traverse directories and manipulate files outside intended boundaries. Additionally, versions of Newforma before 2023.1 have anonymous access enabled by default (CVE-2025-35062), which means unauthenticated attackers can gain anonymous access and exploit this vulnerability without credentials. The vulnerability has a CVSS 3.1 score of 6.4, indicating medium severity, with network attack vector, low attack complexity, and requiring low privileges (authenticated or anonymous depending on version). The impact includes partial confidentiality loss (reading files) and availability impact (deleting files), but no integrity impact is noted. No public exploits are currently known, but the potential for abuse exists, especially in environments where anonymous access is enabled. The vulnerability affects all versions up to and including 2024.3, and no patches are currently linked, indicating the need for vendor action or workarounds. Organizations using Newforma Project Center should review access controls, disable anonymous access if possible, and monitor for suspicious file access or deletion activities.

For European organizations, the impact of this vulnerability can be significant, particularly for those in the architecture, engineering, and construction sectors where Newforma Project Center is commonly deployed. Exploitation could lead to unauthorized disclosure of sensitive project files, intellectual property, and client data, undermining confidentiality. The ability to delete files with NetworkService privileges also risks disrupting project workflows and availability of critical documentation, potentially causing project delays and financial losses. Since the vulnerability can be exploited remotely over the network with low complexity, attackers could leverage it to gain footholds or disrupt operations. Organizations with lax access controls or default anonymous access settings are at higher risk. The partial compromise of confidentiality and availability can also have regulatory implications under GDPR if personal or sensitive data is exposed or lost. Additionally, the vulnerability could be leveraged as a pivot point for further attacks within corporate networks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

1. Immediately review and disable anonymous access settings in Newforma Project Center, especially for versions prior to 2023.1, to prevent unauthenticated exploitation. 2. Apply any available patches or updates from Newforma as soon as they are released; monitor vendor advisories closely. 3. Implement strict access controls and network segmentation to limit access to the Project Center application to trusted users and networks only. 4. Monitor logs for unusual file access or deletion activities, particularly requests to '/UserWeb/Common/MarkupServices.ashx' with the 'DownloadExportedPDF' command. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this endpoint. 6. Conduct regular security assessments and penetration tests focusing on file handling and access control mechanisms within Newforma Project Center. 7. Educate administrators and users about the risks of default anonymous access and enforce strong authentication policies. 8. If patching is delayed, consider temporary mitigations such as restricting access to the vulnerable endpoint or disabling the affected functionality if feasible.