2025-10-09 20:20:18
cisa-cg
PUBLISHED
Newforma Info Exchange (NIX) accepts requests to /UserWeb/Common/MarkupServices.ashx specifying the DownloadExportedPDF command that allow an authenticated user to read and delete arbitrary files with NT AUTHORITYNetworkService privileges. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as anonymous and exploit this file upload vulnerability.