CVE-2025-35052 | THREATINT

Description

Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shared across NIX installations. NIX 2023.3 and 2024.1 limit the use of hard-coded keys.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-09 | Updated 2025-10-09 | Assigner cisa-cg

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

Product status

Default status

unknown

affected

2024.3

affected

Credits

Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)

References

www.cve.org/CVERecord?id=CVE-2025-35052 (url)

raw.githubusercontent.com/...IT/white/2025/va-25-282-01.json (url)

cve.org (CVE-2025-35052)

nvd.nist.gov (CVE-2025-35052)

Download JSON