CVE-2025-35052
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-22
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| newforma | project_center | to 2024.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Newforma Info Exchange (NIX) using a hard-coded encryption key to encrypt certain query parameters. Some of these encrypted parameters can specify file download paths, potentially allowing attackers to bypass authentication and authorization controls to download files they should not access. The hard-coded key is shared across all NIX installations, increasing the risk. Later versions (NIX 2023.3 and 2024.1) have limited the use of such hard-coded keys.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to bypass authentication and authorization mechanisms to download files from the system. This could lead to exposure of sensitive or confidential information, potentially compromising data confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Newforma Info Exchange (NIX) to versions 2023.3 or 2024.1 or later, as these versions limit the use of hard-coded keys that enable unauthorized file downloads.