A high-severity vulnerability has been identified in multiple Newforma products, specifically within the Newforma Info Exchange (NIX) file upload functionality. A remote, unauthenticated attacker could potentially exploit this flaw to upload malicious files, leading to arbitrary code execution and a complete compromise of the affected server. This could result in significant data breaches, system downtime, and loss of sensitive project information.

The vulnerability exists in the file upload handler located at the /UserWeb/Common/UploadBlueimp endpoint within the Newforma Info Exchange (NIX) platform. This endpoint fails to properly validate the types of files being uploaded, creating an Unrestricted File Upload vulnerability. An unauthenticated remote attacker can exploit this by crafting a malicious file, such as a web shell (e.g., an .aspx file), and uploading it to the server. By subsequently accessing the uploaded file's URL, the attacker can execute arbitrary commands on the server with the privileges of the web service account.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the Newforma server. The potential business impact is severe, including the theft of sensitive and proprietary data related to projects, clients, and financials. An attacker could also use the compromised server as a pivot point to move laterally within the corporate network, disrupt critical business operations by encrypting or deleting data (ransomware), or deface the public-facing application, causing significant reputational damage.

Immediate Action:

• Immediately apply the security updates provided by Newforma to all affected systems, prioritizing internet-facing Newforma Info Exchange servers.
• Review web server access logs for any suspicious activity related to the /UserWeb/Common/UploadBlueimp endpoint, looking for unusual file uploads or access attempts.
• After patching, continue to monitor systems for any indicators of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs (e.g., IIS) for POST requests to /UserWeb/Common/UploadBlueimp. Investigate any uploads of files with executable extensions such as .aspx, .asp, .jsp, .php, or .exe.
• Network Traffic: Monitor for anomalous outbound network connections from the Newforma server, which could indicate a web shell communicating with an attacker's command-and-control (C2) server.
• File System Integrity: Implement file integrity monitoring (FIM) on the web server's root and upload directories to detect the creation of new, unauthorized files.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, deploy a WAF rule to block all access to the /UserWeb/Common/UploadBlueimp endpoint or to filter uploads based on a strict allow-list of file extensions.
• Access Control: Restrict network access to the Newforma application to only trusted IP address ranges.
• Disable Functionality: If the file upload feature is not critical for business operations, consider temporarily disabling it until patches can be applied.

Public Exploit Available: False

Given the high CVSS score of 8.8 and the potential for remote code execution, this vulnerability presents a critical risk to the organization. Although not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and an attractive target for attackers. We strongly recommend that organizations prioritize the immediate application of vendor-supplied security patches to all affected Newforma systems. Systems exposed to the internet should be considered the highest priority for remediation.