Critical Vulnerability Information CVE ID: CVE-2025-35052 Release Date: 2025-10-09 Update Date: 2025-10-09 Title: Newforma Info Exchange (NIX) Shared Hard-Coded Secret Key Description Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify file download paths, potentially bypassing authentication and authorization, such as the parameter used in . This key is shared across NIX installations. NIX versions 2023.3 and 2024.1 have restricted the use of the hard-coded key. CWE CWE-321: Use of Hard-coded Cryptographic Key CVSS Version 3.1 - Score: 5.3 - Severity: MEDIUM - Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Version 4.0 - Score: 6.3 - Severity: MEDIUM - Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/V:I/NVA:N/SC:N Product Status Vendor: Newforma Product: Project Center Affected Versions: Default status unknown, affects all versions References CVE.org GitHub Acknowledgments Shadron Gudmunson, Luke Rindels, Robert McCain, Asjha Stus, Adam Merrill, Ryan Kao, Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)