CVE-2025-35051
CRITICALNewforma Project Center - Insecure Deserialization
Title source: ruleDescription
Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.
References (3)
Scores
CVSS v3
9.8
EPSS
0.0027
EPSS Percentile
49.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
CWE-306
Status
published
Affected Products (1)
newforma/project_center
Timeline
Published
Oct 09, 2025
Tracked Since
Feb 18, 2026