A critical vulnerability, identified as CVE-2025-35050, has been discovered in multiple Newforma Info Exchange products. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise. Due to its high severity and the ease of exploitation, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of organizational data and systems.

The vulnerability exists due to an insecure deserialization of .NET data within the Newforma Info Exchange software. The application's /remoteweb/remote.rem endpoint accepts serialized .NET objects from any remote, unauthenticated source. An attacker can craft a malicious serialized object containing arbitrary commands and send it to this endpoint, which, upon being processed by the application, will execute the embedded code with the privileges of the NT AUTHORITY\NetworkService account, leading to a full compromise of the server.

The exploitation of this vulnerability would have a critical business impact, reflected by its CVSS score of 9.8. A successful attack allows a remote adversary to take full control of the affected Newforma server without any prior authentication. This could lead to the theft of sensitive project data and intellectual property, deployment of ransomware, complete disruption of services, and the use of the compromised server as a foothold to launch further attacks against the internal network. The potential consequences include significant financial loss, reputational damage, and operational downtime.

Immediate Action: Immediately apply the security updates provided by the vendor to patch all affected Newforma Info Exchange products to the latest version. After patching, it is crucial to monitor systems for any signs of exploitation attempts and to review historical access logs for suspicious activity targeting the /remoteweb/remote.rem endpoint.

Proactive Monitoring: Security teams should actively monitor web server logs (e.g., IIS logs) for any access attempts to the /remoteweb/remote.rem endpoint from untrusted IP addresses. Utilize network monitoring tools and Endpoint Detection and Response (EDR) solutions to detect anomalous behavior, such as unexpected outbound network connections or the execution of suspicious processes (e.g., powershell.exe, cmd.exe) by the web service account.

Compensating Controls: If immediate patching is not feasible, restrict network access to the /remoteweb/remote.rem endpoint to only trusted IP addresses using a firewall, reverse proxy, or Web Application Firewall (WAF). Further isolate the Newforma server from critical internal network segments to limit the potential for lateral movement in the event of a compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents an immediate and severe risk to the organization. The ability for an unauthenticated attacker to achieve remote code execution requires urgent attention. We strongly recommend that the remediation plan be executed immediately, prioritizing the patching of all internet-facing Newforma Info Exchange servers. Although this vulnerability is not yet on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity and potential for widespread impact make it a prime candidate for future inclusion and active exploitation.