CVE-2025-35055 is a critical vulnerability affecting Newforma Project Center's Info Exchange (NIX) component, specifically the '/UserWeb/Common/UploadBlueimp.ashx' endpoint. This endpoint improperly restricts pathname inputs, allowing an authenticated attacker to perform path traversal attacks and upload arbitrary files to any location writable by the NIX application. Such uploaded files can include web shells or other executable content that the web server can run, leading to remote code execution (RCE). The attacker can also delete directories, severely impacting system availability and data integrity. Compounding the risk, versions of Newforma prior to 2023.1 have anonymous access enabled by default (CVE-2025-35062), effectively allowing unauthenticated attackers to gain 'anonymous' authentication and exploit the file upload vulnerability without credentials. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required (authenticated or anonymous in some versions), no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for severe damage through remote code execution and data destruction is significant. The lack of available patches at the time of publication necessitates immediate risk mitigation and monitoring by affected organizations.

For European organizations using Newforma Project Center, this vulnerability poses a significant risk of unauthorized remote code execution, data deletion, and potential full system compromise. The ability to upload and execute arbitrary files can lead to theft of sensitive project data, disruption of critical workflows, and potential lateral movement within corporate networks. Given the construction and engineering sectors' reliance on Newforma products for project management, any compromise could delay projects, cause financial losses, and damage reputations. The default anonymous access in older versions increases the attack surface by allowing unauthenticated exploitation, which is particularly concerning for organizations with externally accessible NIX instances. The impact extends beyond confidentiality and integrity to availability, as attackers can delete directories, potentially causing service outages. Regulatory compliance risks also arise if personal or sensitive data is exposed or destroyed, especially under GDPR requirements. Overall, the vulnerability threatens operational continuity and data security in European firms using this software.

European organizations should immediately audit their Newforma Project Center deployments to identify affected versions, especially those prior to 2023.1. If upgrading to a patched version is not yet possible, organizations should disable or restrict access to the '/UserWeb/Common/UploadBlueimp.ashx' endpoint via web application firewalls or network segmentation. Enforce strict authentication and authorization controls to prevent anonymous access, particularly disabling the default anonymous access setting in older versions. Implement monitoring and alerting for unusual file uploads or web shell indicators on the NIX server. Conduct thorough file system permission reviews to limit writable directories accessible by the application, minimizing the impact of any successful upload. Employ intrusion detection systems to detect exploitation attempts and maintain regular backups to recover from potential data deletion. Coordinate with Newforma for timely patch releases and apply them as soon as available. Additionally, perform penetration testing focused on file upload and path traversal vectors to validate the effectiveness of mitigations.