Home

Description

Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-09 | Updated 2025-10-10 | Assigner cisa-cg




MEDIUM: 5.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-922 Insecure Storage of Sensitive Information

CWE-522 Insufficiently Protected Credentials

CWE-257 Storing Passwords in a Recoverable Format

Product status

Default status
unknown

*
affected

2024.3
affected

Credits

Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)

References

raw.githubusercontent.com/...IT/white/2025/va-25-282-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-35054 (url)

cve.org (CVE-2025-35054)

nvd.nist.gov (CVE-2025-35054)

Download JSON