CVE-2025-35051

CriticalRCE

Published: 09 October 2025

Published

09 October 2025

Modified

26 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35051 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Newforma Project Center. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to restrict network access to the vulnerable NPCS '/ProjectCenter.rem' endpoint on TCP/9003, directly implementing the recommended mitigation of limiting exposure to internal networks only.

SI-10 Information Input Validation good match

prevent

Validates untrusted serialized .NET data inputs to prevent deserialization of malicious payloads exploiting CWE-502.

AC-3 Access Enforcement partial match

prevent

Enforces approved authorizations and authentication for access to the critical endpoint, addressing the unauthenticated remote code execution via CWE-306.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution via exploitation of a public-facing .NET remoting endpoint, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible…

on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

Deeper analysisAI

CVE-2025-35051 is a critical vulnerability in Newforma Project Center Server (NPCS) that enables remote code execution through the acceptance of serialized .NET data via the '/ProjectCenter.rem' endpoint on TCP port 9003. This flaw stems from deserialization of untrusted data (CWE-502) combined with missing authentication for a critical function (CWE-306), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker who can reach the vulnerable endpoint can send crafted serialized .NET payloads to execute arbitrary code running with 'NT AUTHORITY\NetworkService' privileges, potentially leading to full system compromise on the affected server.

According to advisories, the recommended architecture limits the NPCS endpoint to internal network access only; mitigation requires restricting network access to NPCS. Further details are provided in references including https://projectcenter.help.newforma.com/overviews/info_exchange_overview/, https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json, and https://www.cve.org/CVERecord?id=CVE-2025-35051.