Search criteria
2 vulnerabilities found for bestinformed Infoclient by Cordaware
CVE-2025-0425 (GCVE-0-2025-0425)
Vulnerability from cvelistv5 – Published: 2025-02-18 07:57 – Updated: 2025-02-18 14:32
VLAI?
Summary
Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of the "bestinformed Server" to which this client connects. This is dangerous as the "bestinformed Infoclient" runs with elevated permissions ("nt authority\system"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include:
* Pushing of malicious update packages
* Arbitrary Registry Read as "nt authority\system"
An attacker is able to escalate his privileges to "nt authority\system" on the Windows client running the "bestinformed Infoclient".
This attack is not possible if a custom configuration ("Infoclient.ini") containing the flags "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" is deployed.
Severity ?
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cordaware | bestinformed Infoclient |
Affected:
0 , < 6.3.7.0
(custom)
Unaffected: 6.3.7.0 |
Credits
Manuel Kiesel (cyllective AG)
David Miller (cyllective AG)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:31:59.558530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:32:08.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "bestinformed Infoclient",
"vendor": "Cordaware",
"versions": [
{
"lessThan": "6.3.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.3.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Manuel Kiesel (cyllective AG)"
},
{
"lang": "en",
"type": "finder",
"value": "David Miller (cyllective AG)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Via the GUI of the \"bestinformed Infoclient\", a low-privileged user is by default able to change the server address of the \"bestinformed Server\" to which this client connects. This is dangerous as the \"bestinformed Infoclient\" runs with elevated permissions (\"nt authority\\system\"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the \"bestinformed Web\" server. Those features include:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePushing of malicious update packages\u003c/li\u003e\u003cli\u003eArbitrary Registry Read as \"nt authority\\system\"\u003c/li\u003e\u003c/ul\u003eAn attacker is able to escalate his privileges to \"nt authority\\system\" on the Windows client running the \"bestinformed Infoclient\".\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis attack is not possible if a custom configuration \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e(\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInfoclient.ini\")\u0026nbsp;\u003c/span\u003econtaining the flags \"ShowOnTaskbar=false\" or \"DisabledItems=stPort,stAddress\" is deployed.\u0026nbsp;\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Via the GUI of the \"bestinformed Infoclient\", a low-privileged user is by default able to change the server address of the \"bestinformed Server\" to which this client connects. This is dangerous as the \"bestinformed Infoclient\" runs with elevated permissions (\"nt authority\\system\"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the \"bestinformed Web\" server. Those features include:\n * Pushing of malicious update packages\n * Arbitrary Registry Read as \"nt authority\\system\"\n\n\nAn attacker is able to escalate his privileges to \"nt authority\\system\" on the Windows client running the \"bestinformed Infoclient\".\u00a0\n\n\nThis attack is not possible if a custom configuration (\"Infoclient.ini\")\u00a0containing the flags \"ShowOnTaskbar=false\" or \"DisabledItems=stPort,stAddress\" is deployed."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15: External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T07:57:35.329Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cordaware.com/changelog/en/version-6_3_8_1.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation via Config Manipulation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-0425",
"datePublished": "2025-02-18T07:57:35.329Z",
"dateReserved": "2025-01-13T14:29:50.604Z",
"dateUpdated": "2025-02-18T14:32:08.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0425 (GCVE-0-2025-0425)
Vulnerability from nvd – Published: 2025-02-18 07:57 – Updated: 2025-02-18 14:32
VLAI?
Summary
Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of the "bestinformed Server" to which this client connects. This is dangerous as the "bestinformed Infoclient" runs with elevated permissions ("nt authority\system"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include:
* Pushing of malicious update packages
* Arbitrary Registry Read as "nt authority\system"
An attacker is able to escalate his privileges to "nt authority\system" on the Windows client running the "bestinformed Infoclient".
This attack is not possible if a custom configuration ("Infoclient.ini") containing the flags "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" is deployed.
Severity ?
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cordaware | bestinformed Infoclient |
Affected:
0 , < 6.3.7.0
(custom)
Unaffected: 6.3.7.0 |
Credits
Manuel Kiesel (cyllective AG)
David Miller (cyllective AG)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:31:59.558530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:32:08.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "bestinformed Infoclient",
"vendor": "Cordaware",
"versions": [
{
"lessThan": "6.3.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.3.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Manuel Kiesel (cyllective AG)"
},
{
"lang": "en",
"type": "finder",
"value": "David Miller (cyllective AG)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Via the GUI of the \"bestinformed Infoclient\", a low-privileged user is by default able to change the server address of the \"bestinformed Server\" to which this client connects. This is dangerous as the \"bestinformed Infoclient\" runs with elevated permissions (\"nt authority\\system\"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the \"bestinformed Web\" server. Those features include:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePushing of malicious update packages\u003c/li\u003e\u003cli\u003eArbitrary Registry Read as \"nt authority\\system\"\u003c/li\u003e\u003c/ul\u003eAn attacker is able to escalate his privileges to \"nt authority\\system\" on the Windows client running the \"bestinformed Infoclient\".\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis attack is not possible if a custom configuration \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e(\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInfoclient.ini\")\u0026nbsp;\u003c/span\u003econtaining the flags \"ShowOnTaskbar=false\" or \"DisabledItems=stPort,stAddress\" is deployed.\u0026nbsp;\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Via the GUI of the \"bestinformed Infoclient\", a low-privileged user is by default able to change the server address of the \"bestinformed Server\" to which this client connects. This is dangerous as the \"bestinformed Infoclient\" runs with elevated permissions (\"nt authority\\system\"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the \"bestinformed Web\" server. Those features include:\n * Pushing of malicious update packages\n * Arbitrary Registry Read as \"nt authority\\system\"\n\n\nAn attacker is able to escalate his privileges to \"nt authority\\system\" on the Windows client running the \"bestinformed Infoclient\".\u00a0\n\n\nThis attack is not possible if a custom configuration (\"Infoclient.ini\")\u00a0containing the flags \"ShowOnTaskbar=false\" or \"DisabledItems=stPort,stAddress\" is deployed."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15: External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T07:57:35.329Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cordaware.com/changelog/en/version-6_3_8_1.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation via Config Manipulation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-0425",
"datePublished": "2025-02-18T07:57:35.329Z",
"dateReserved": "2025-01-13T14:29:50.604Z",
"dateUpdated": "2025-02-18T14:32:08.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}