CVE-2025-35050 Overview
CVE-2025-35050 is a critical insecure deserialization vulnerability affecting Newforma Info Exchange (NIX), a component of the Newforma Project Center architecture. The vulnerability exists in the /remoteweb/remote.rem endpoint, which accepts serialized .NET data without proper authentication or validation. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code with NT AUTHORITY\NetworkService privileges on the target system.
The vulnerable endpoint is used by Newforma Project Center Server (NPCS) for communication purposes, meaning a compromised NIX system can be leveraged as a pivot point to attack associated NPCS systems, significantly expanding the potential blast radius of a successful exploit.
Critical Impact
Unauthenticated remote code execution with NetworkService privileges, enabling full system compromise and potential lateral movement to connected Newforma Project Center Server systems.
Affected Products
- Newforma Project Center version 2024.3
- Newforma Info Exchange (NIX) component
- Newforma Project Center Server (NPCS) - exposed via NIX compromise
Discovery Timeline
- 2025-10-09 - CVE-2025-35050 published to NVD
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-35050
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), though the underlying exploitation mechanism involves insecure deserialization of .NET objects. The /remoteweb/remote.rem endpoint is designed to handle .NET remoting requests between NIX and NPCS components but fails to implement proper authentication controls.
.NET remoting endpoints that accept serialized objects are inherently dangerous when exposed without authentication. An attacker can craft malicious serialized payloads containing objects that, when deserialized by the server, trigger code execution through gadget chains present in the .NET framework or application dependencies.
The fact that the vulnerable endpoint operates under NT AUTHORITY\NetworkService privileges means successful exploitation grants the attacker significant system access, including the ability to interact with network resources, access local files, and potentially escalate privileges further.
Root Cause
The root cause of this vulnerability is the absence of authentication controls on the /remoteweb/remote.rem endpoint combined with the inherent risks of .NET remoting deserialization. The endpoint accepts and processes serialized .NET data from any network-accessible client without verifying the identity or authorization of the requester. This design flaw allows attackers to submit arbitrary serialized payloads that are processed by the server's .NET runtime.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the NIX server can send specially crafted HTTP requests to the /remoteweb/remote.rem endpoint containing malicious serialized .NET objects.
The exploitation process typically involves:
- Identifying a network-accessible NIX server with the vulnerable endpoint
- Crafting a serialized .NET payload using known deserialization gadget chains (such as those leveraging TypeConfuseDelegate, TextFormattingRunProperties, or similar gadgets)
- Sending the payload via HTTP POST to the /remoteweb/remote.rem endpoint
- The server deserializes the payload, triggering the embedded gadget chain and executing attacker-controlled code
Once code execution is achieved with NetworkService privileges, the attacker can establish persistent access, exfiltrate data, or pivot to attack the associated NPCS system.
Detection Methods for CVE-2025-35050
Indicators of Compromise
- Unusual HTTP POST requests to the /remoteweb/remote.rem endpoint from external or unauthorized IP addresses
- Unexpected process spawning from the IIS worker process (w3wp.exe) running the NIX application
- New network connections established by the NetworkService account to unfamiliar destinations
- Suspicious .NET remoting traffic patterns or anomalous serialized object payloads in IIS logs
- Evidence of lateral movement attempts from the NIX server to NPCS systems
Detection Strategies
- Monitor IIS access logs for requests targeting /remoteweb/remote.rem, particularly from non-standard source IPs
- Implement network intrusion detection rules to identify .NET remoting traffic to this specific endpoint
- Deploy endpoint detection and response (EDR) solutions to detect anomalous process execution originating from IIS worker processes
- Configure SIEM alerts for authentication-less access patterns to the vulnerable endpoint
Monitoring Recommendations
- Enable detailed IIS logging including request bodies for forensic analysis capabilities
- Implement network segmentation monitoring to detect unauthorized communication between NIX and NPCS systems
- Deploy file integrity monitoring on the NIX server to detect unauthorized file modifications
- Monitor Windows Security event logs for suspicious service account activity under NetworkService context
How to Mitigate CVE-2025-35050
Immediate Actions Required
- Restrict network access to the /remoteweb/remote.rem endpoint using firewall rules or IIS URL Rewrite Module
- Implement network segmentation to limit which systems can communicate with NIX servers
- Review IIS logs for any evidence of prior exploitation attempts
- Audit all Newforma Project Center deployments to identify exposed NIX instances
- Contact Newforma support for guidance on vendor-provided patches or updates
Patch Information
At the time of publication, organizations should consult Newforma directly for official patches addressing this vulnerability. Review the CISA CSAF Document for additional advisory details and the CVE-2025-35050 Record for current status information. The Newforma Info Exchange Overview provides additional context about the affected component.
Workarounds
- Use the IIS URL Rewrite Module to block access to the /remoteweb/remote.rem endpoint from unauthorized sources
- Implement IP allowlisting to restrict endpoint access to only trusted NPCS systems
- Place NIX servers behind a reverse proxy or web application firewall (WAF) with request inspection capabilities
- Disable the /remoteweb/remote.rem endpoint if not operationally required
# IIS URL Rewrite configuration to block unauthorized access
# Add to web.config in the NIX application root
# This rule blocks all external access to the vulnerable endpoint
# Navigate to IIS Manager > URL Rewrite > Add Rule(s)
# Create a Request Blocking rule:
# Pattern: ^remoteweb/remote\.rem$
# Block request based on: URL Path
# How to block: Abort Request
# Alternative: Use IP Address restriction in IIS
# IIS Manager > IP Address and Domain Restrictions
# Deny all except specific trusted NPCS server IPs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
