A critical remote code execution vulnerability has been discovered in Newforma Project Center Server. This flaw allows an unauthenticated attacker over the network to execute arbitrary code and gain complete control of the affected server, without needing any credentials. Successful exploitation could lead to a full system compromise, resulting in data theft, ransomware deployment, or further attacks into the corporate network.

This vulnerability is an insecure deserialization flaw. The Newforma Project Center Server exposes a .NET Remoting endpoint at /ProjectCenter.rem on TCP port 9003, which accepts serialized .NET objects. An unauthenticated, remote attacker can craft a malicious serialized object containing arbitrary code and send it to this endpoint. The server deserializes the object without proper validation, leading to the execution of the embedded code with the high privileges of the NT AUTHORITY\SYSTEM account, resulting in a full compromise of the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on business operations. An attacker could exfiltrate sensitive project data, intellectual property, and client information stored on the server, leading to breaches of confidentiality and significant reputational damage. Furthermore, a compromised server can be used as a pivot point for lateral movement into the wider corporate network, or be leveraged for disruptive attacks like ransomware, causing major financial loss and operational downtime.

Immediate Action: Immediately apply the security updates provided by the vendor to all vulnerable Newforma Project Center Servers. Prioritize patching for servers that are exposed to the internet. After patching, review application and system logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring:

• Monitor network traffic for any connections to TCP port 9003, particularly from untrusted or external IP addresses.
• Review web server and application logs for unusual requests or errors associated with the /ProjectCenter.rem endpoint.
• Utilize Endpoint Detection and Response (EDR) solutions to monitor the Newforma server for suspicious process execution, such as unexpected child processes spawned by the Newforma service (e.g., cmd.exe, powershell.exe).

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Use a network firewall or host-based firewall to restrict all access to TCP port 9003. Only allow connections from specific, trusted IP addresses that are required for business operations.
• If possible, place the affected server behind a Web Application Firewall (WAF) and implement rules to inspect and block serialized object payloads, although this may not be a complete solution.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of unauthenticated remote code execution, this vulnerability poses a significant threat to the organization. Immediate patching is the highest priority and should be treated as an emergency. All system administrators should apply the vendor-provided updates to all Newforma Project Center Servers without delay. While this CVE is not currently on the CISA KEV list, its severity makes it a likely candidate for future inclusion, and organizations should operate under the assumption that it will be actively exploited.