CVE-2025-35055 is a critical vulnerability affecting Newforma Project Center's Info Exchange (NIX) component, specifically the '/UserWeb/Common/UploadBlueimp.ashx' endpoint. This vulnerability arises from improper limitation of pathname to a restricted directory (CWE-22) combined with an unrestricted file upload flaw (CWE-434). Authenticated attackers can exploit this flaw to upload arbitrary files to any location writable by the NIX application, including locations that allow execution by the web server. This enables attackers to deploy web shells or other malicious payloads, facilitating remote code execution, unauthorized file deletion, and potentially full system compromise. Compounding the risk, versions prior to 2023.1 enable anonymous access by default (CVE-2025-35062), effectively allowing unauthenticated attackers to gain 'anonymous' authentication and exploit the file upload vulnerability without credentials. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the potential impact is severe given the ability to execute arbitrary code and manipulate files on the server. The vulnerability affects all versions prior to 2023.1, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps. The flaw is particularly concerning for organizations relying on Newforma Project Center for project collaboration and document management, as it could lead to data breaches, operational disruption, and lateral movement within networks.

For European organizations, especially those in architecture, engineering, and construction sectors that commonly use Newforma Project Center, this vulnerability poses a significant threat. Exploitation can lead to unauthorized access to sensitive project data, intellectual property theft, and disruption of critical project workflows. The ability to upload and execute arbitrary files can result in full system compromise, enabling attackers to move laterally within corporate networks, exfiltrate data, or deploy ransomware. The default anonymous access in affected versions increases the attack surface by allowing unauthenticated exploitation, raising the risk for organizations that have not hardened their deployments. Given the collaborative nature of Newforma Project Center, multiple users and systems may be impacted, amplifying the potential damage. Additionally, disruption or data loss could delay project timelines and cause financial and reputational damage. Regulatory compliance risks also arise if sensitive personal or project data is exposed, potentially violating GDPR and other European data protection laws.

European organizations should immediately audit their Newforma Project Center deployments to identify affected versions, especially those prior to 2023.1. Disable anonymous access to the Info Exchange component to prevent unauthenticated exploitation. Implement strict access controls and ensure only trusted, authenticated users have upload permissions. Monitor web server logs and application logs for unusual file upload activity or execution of unexpected scripts. Employ web application firewalls (WAFs) with rules to detect and block path traversal and suspicious file uploads targeting the vulnerable endpoint. Isolate the Newforma server from critical internal networks to limit lateral movement in case of compromise. Regularly back up project data and verify backup integrity to enable recovery from potential destructive attacks. Engage with Newforma for official patches or updates addressing this vulnerability and apply them promptly once available. Conduct internal security awareness training to highlight the risks of this vulnerability and encourage reporting of anomalies. Consider deploying endpoint detection and response (EDR) solutions to detect post-exploitation behaviors.