Critical severity9.8NVD Advisory· Published Oct 9, 2025· Updated Apr 26, 2026

CVE-2025-35051

Description

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

Affected products

Newforma/Project Center
cpe:2.3:a:newforma:project_center:2024.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.jsonnvdThird Party Advisory
www.cve.org/CVERecordnvdThird Party AdvisoryUS Government Resource
projectcenter.help.newforma.com/overviews/info_exchange_overview/nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000