CVE-2025-35062 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting Newforma Project Center's Info Exchange (NIX) component before version 2023.1. The root cause is that the software, by default, permits anonymous authentication, which means that an unauthenticated attacker can connect to the system without credentials. This unauthorized access allows attackers to exploit further vulnerabilities that would normally require authenticated access, potentially leading to unauthorized data access or manipulation. The vulnerability has a CVSS 4.0 score of 6.9, reflecting a medium severity with an attack vector over the network, no privileges or user interaction needed, and limited impact on confidentiality. The scope is limited to the affected component, and no known exploits have been reported yet. The lack of authentication enforcement represents a significant security misconfiguration, increasing the attack surface. Since Newforma Project Center is widely used in project management for architecture, engineering, and construction industries, exploitation could lead to exposure of sensitive project data or disruption of project workflows. The vulnerability is publicly disclosed and should be addressed promptly to prevent potential exploitation.

For European organizations, particularly those in architecture, engineering, construction, and project management sectors, this vulnerability poses a risk of unauthorized access to sensitive project information and collaboration data. Exploitation could lead to data leakage, unauthorized modification of project files, or disruption of project coordination efforts. Given the collaborative nature of Newforma Project Center, attackers might gain insights into ongoing projects, intellectual property, or client information, potentially resulting in reputational damage and financial loss. The medium severity indicates that while the impact is not catastrophic, it is significant enough to warrant immediate attention. Organizations relying heavily on Newforma for project workflows could face operational disruptions if attackers leverage this vulnerability to escalate privileges or execute further attacks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

European organizations should immediately review and modify the default configuration of Newforma Info Exchange to disable anonymous authentication. This can be done by accessing the system settings and explicitly requiring authentication for all access points. Organizations should also monitor vendor communications for patches or updates addressing this vulnerability and apply them as soon as they become available. Implement network segmentation to restrict access to the Newforma Project Center to trusted internal networks and authorized users only. Employ strong access controls and multi-factor authentication where possible to further protect the system. Regularly audit logs for unusual access patterns indicative of exploitation attempts. Additionally, conduct security awareness training for users to recognize and report suspicious activities. Finally, consider deploying intrusion detection/prevention systems tuned to detect anomalous behavior targeting project management platforms.