CVE-2025-35054
5.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Newforma | Project Center | * | affected |
| Newforma | Project Center | 2024.3 | affected |
Weaknesses
- CWE-922: CWE-922 Insecure Storage of Sensitive Information
- CWE-522: CWE-522 Insufficiently Protected Credentials
- CWE-257: CWE-257 Storing Passwords in a Recoverable Format
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-35054
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.