CVE-2025-35061 is an authentication bypass vulnerability classified under CWE-294 (Authentication Bypass by Capture-replay) affecting Newforma Project Center's Info Exchange (NIX) component, specifically the '/NPCSRemoteWeb/LegacyIntegrationServices.asmx' endpoint. The flaw allows a remote attacker with no authentication to induce the vulnerable system to initiate an SMB connection to an attacker-controlled server. During this connection, the system transmits the NTLMv2 hash of the user-configured NIX service account. The attacker can capture this hash and potentially perform offline brute-force attacks or relay it to gain unauthorized access to network resources. The vulnerability arises because the service does not properly validate or restrict outbound SMB connections triggered by unauthenticated requests, enabling the capture-replay attack vector. The CVSS v4.0 score is 8.2 (high), reflecting the network attack vector, low attack complexity, no user interaction, and high impact on confidentiality. There is no indication of existing patches or known exploits in the wild as of the publication date. This vulnerability is particularly concerning because it targets service account credentials, which often have elevated privileges, increasing the risk of lateral movement and privilege escalation within affected environments.

For European organizations, the impact of CVE-2025-35061 is significant due to the potential compromise of service account credentials used by Newforma Project Center. These credentials, if cracked or relayed, can allow attackers to impersonate legitimate services or users, leading to unauthorized access to sensitive project data, intellectual property, and internal networks. The confidentiality of project management and construction data could be severely compromised, affecting business operations and client trust. Additionally, the vulnerability could facilitate lateral movement within corporate networks, increasing the risk of broader compromise. Organizations in sectors such as architecture, engineering, and construction, which commonly use Newforma products, are particularly vulnerable. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks. The absence of patches means organizations must rely on compensating controls until a fix is released.

1. Immediately restrict outbound SMB (ports 445 and 139) traffic from servers running Newforma Project Center to only trusted internal systems. 2. Implement network segmentation to isolate the Newforma Project Center servers from untrusted networks and the internet. 3. Monitor network traffic for unusual SMB connection attempts, especially outbound connections to unknown IP addresses. 4. Use network intrusion detection/prevention systems (IDS/IPS) to detect and block SMB relay or capture-replay attack patterns. 5. Enforce strong password policies and consider rotating service account credentials regularly to limit the usefulness of captured hashes. 6. Enable SMB signing and enforce NTLMv2 authentication to mitigate relay attacks. 7. Apply strict firewall rules and consider disabling SMBv1 protocol if still enabled. 8. Engage with Newforma for updates and patches and plan for rapid deployment once available. 9. Conduct regular security audits and penetration tests focusing on authentication mechanisms and network traffic from critical servers.