CVE-2025-35051 CRITICAL

CVE-2025-35051: Newforma Project Center Server (NPCS) .NET unauthenticated deserialization

Vendor Newforma

Product Project Center

Weakness CWE-502 · Unsafe deserialization

Published October 9, 2025

Last update October 10, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

Key dates

02Disclosure timeline

October 9, 2025 CVE published

October 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-35051

Related vulnerabilities

Identifiers

CVE CVE-2025-35051

CWE CWE-502

CVSS 9.8 / CRITICAL

Affected versions

Vendor Newforma

Product Project Center

Affected All versions

Vendor Newforma

Product Project Center

Affected 2024.3

CVE-2025-35051: Newforma Project Center Server (NPCS) .NET unauthenticated deserialization

01Description

02Disclosure timeline

03References

04Related CVE