Home

Description

Newforma Info Exchange (NIX) accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-09 | Updated 2025-10-10 | Assigner cisa-cg




MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
MEDIUM: 6.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:L

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73 External Control of File Name or Path

Product status

Default status
unknown

*
affected

2024.3
affected

Credits

Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)

References

www.cve.org/CVERecord?id=CVE-2025-35062 (url)

raw.githubusercontent.com/...IT/white/2025/va-25-282-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-35053 (url)

cve.org (CVE-2025-35053)

nvd.nist.gov (CVE-2025-35053)

Download JSON