CVE-2025-35062 is a vulnerability categorized under CWE-276 (Incorrect Default Permissions) affecting Newforma Project Center's Info Exchange (NIX) component prior to version 2023.1. The core issue is that the software, by default, allows anonymous authentication, which means that unauthenticated users can connect to the system without providing credentials. This misconfiguration effectively bypasses intended access controls and permits attackers to exploit other vulnerabilities that normally require authentication. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (VC:L) with no integrity or availability impact. The vulnerability does not require any security scope changes or authentication, making it easier to exploit remotely. Although no known exploits are currently reported in the wild, the default anonymous access significantly lowers the barrier for attackers to gain unauthorized access and potentially pivot to other attack vectors within the system. Newforma Project Center is widely used in project management for architecture, engineering, and construction industries, where sensitive project data and communications are handled. The incorrect default permissions could expose confidential project information or enable further compromise of the environment if chained with other vulnerabilities. The absence of a patch link suggests that users should upgrade to version 2023.1 or later, where this default behavior is corrected. Organizations should audit their current deployments to ensure anonymous authentication is disabled and monitor for unusual access patterns.

For European organizations, especially those in architecture, engineering, construction, and project management sectors, this vulnerability poses a risk of unauthorized data exposure and potential lateral movement within internal networks. Confidential project data, including designs, contracts, and communications, could be accessed by unauthenticated attackers, leading to intellectual property theft or competitive disadvantage. The medium severity reflects limited direct impact on integrity and availability but highlights confidentiality concerns. Exploitation ease is high due to no authentication or user interaction requirements, increasing the likelihood of reconnaissance and initial compromise. This could also facilitate further exploitation of chained vulnerabilities requiring authentication, amplifying the overall risk. Organizations handling sensitive infrastructure or government projects may face additional regulatory and compliance risks under GDPR and other data protection laws if unauthorized access leads to data breaches. The lack of known exploits currently reduces immediate threat but does not eliminate the risk, especially as attackers often develop exploits after public disclosure.

1. Upgrade Newforma Project Center to version 2023.1 or later where the anonymous authentication default is corrected. 2. Immediately audit existing deployments to verify that anonymous authentication is disabled. 3. Implement network segmentation to restrict access to the Project Center servers only to authorized internal users and trusted networks. 4. Enable detailed logging and monitoring of authentication attempts and access patterns to detect any unauthorized or anomalous activity. 5. Conduct regular vulnerability assessments and penetration testing focusing on authentication and access control mechanisms. 6. Educate system administrators and users about the risks of default configurations and the importance of secure authentication settings. 7. Apply strict access control policies and consider multi-factor authentication for all users accessing the Project Center. 8. Coordinate with Newforma support for any interim patches or configuration guidance until upgrades are fully deployed.