CVE-2025-35052 MEDIUM

CVE-2025-35052: Newforma Info Exchange (NIX) shared hard-coded secret key

Vendor Newforma
Product Project Center
Weakness CWE-321
Published October 9, 2025
Last update October 15, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shared across NIX installations. NIX 2023.3 and 2024.1 limit the use of hard-coded keys.

Key dates

02Disclosure timeline

October 9, 2025 CVE published
October 15, 2025 Record updated