Critical Vulnerability Information CVE ID: CVE-2025-35055 Release Date: 2025-10-09 Update Date: 2025-10-09 Title: Newforma Info Exchange (NIX) Insecure File Upload Description: - The 'User/Web/Common/UploadBlueimp.ashx' component in Newforma Info Exchange (NIX) allows authenticated attackers to upload arbitrary files to any writable location within the NIX application. - Attackers can upload and execute web shells or other content executable by the web server. - Attackers can also delete directories. - In Newforma versions prior to 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing unauthenticated attackers to authenticate as "anonymous" and exploit this file upload vulnerability. CWE: - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CWE-434: Unrestricted Upload of File with Dangerous Type CVSS: - CVSS v3.1: 8.8 (High) - CVSS v4.0: 8.7 (High) Affected Products: - Vendor: Newforma - Product: Project Center - Versions: All versions from 0 up to, but not including, 2023.1 References: - CVE.org - CVE.org - raw.githubusercontent.com