Cyber Resilience

CVE-2025-35051

CriticalRCE

Published: 09 October 2025

Published
09 October 2025
Modified
26 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 56.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35051 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Newforma Project Center. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-35051 is a critical vulnerability in Newforma Project Center Server (NPCS) that enables remote code execution through the acceptance of serialized .NET data via the '/ProjectCenter.rem' endpoint on TCP port 9003. This flaw stems from deserialization of untrusted data (CWE-502) combined with missing authentication for a critical function (CWE-306), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker who can reach the vulnerable endpoint can send crafted serialized .NET payloads to execute arbitrary code running with 'NT AUTHORITY\NetworkService' privileges, potentially leading to full system compromise on the affected server.

According to advisories, the recommended architecture limits the NPCS endpoint to internal network access only; mitigation requires restricting network access to NPCS. Further details are provided in references including https://projectcenter.help.newforma.com/overviews/info_exchange_overview/, https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json, and https://www.cve.org/CVERecord?id=CVE-2025-35051.

EU & UK References

Vulnerability details

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible…

more

on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote code execution via exploitation of a public-facing .NET remoting endpoint, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-35050Same product: Newforma Project Center
CVE-2025-35062Same product: Newforma Project Center
CVE-2025-35055Same product: Newforma Project Center
CVE-2026-23746Shared CWE-306, CWE-502
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2026-33439Shared CWE-502
CVE-2025-31047Shared CWE-502

Affected Assets

newforma
project center
2024.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces boundary protection to restrict network access to the vulnerable NPCS '/ProjectCenter.rem' endpoint on TCP/9003, directly implementing the recommended mitigation of limiting exposure to internal networks only.

prevent

Validates untrusted serialized .NET data inputs to prevent deserialization of malicious payloads exploiting CWE-502.

prevent

Enforces approved authorizations and authentication for access to the critical endpoint, addressing the unauthenticated remote code execution via CWE-306.

References