CVE-2025-0425 in bestinformed Infoclientinfo

Summary

by MITRE • 02/18/2025

Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of the "bestinformed Server" to which this client connects. This is dangerous as the "bestinformed Infoclient" runs with elevated permissions ("nt authority\system"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include: * Pushing of malicious update packages * Arbitrary Registry Read as "nt authority\system"


An attacker is able to escalate his privileges to "nt authority\system" on the Windows client running the "bestinformed Infoclient". 


This attack is not possible if a custom configuration ("Infoclient.ini") containing the flags "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" is deployed.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/18/2025

The vulnerability described in CVE-2025-0425 represents a critical privilege escalation flaw within the bestinformed Infoclient software ecosystem. This vulnerability arises from a fundamental design flaw in the graphical user interface configuration capabilities of the Infoclient application, which operates with elevated system permissions under the nt authority\system account. The default configuration allows any low-privileged user to modify critical network settings that control the client-server communication pathway. This represents a classic case of insufficient privilege separation and inadequate input validation within the application's configuration management subsystem. The vulnerability directly maps to CWE-269: "Improper Privilege Management" and CWE-787: "Out-of-bounds Write" as the configuration modification capability enables unauthorized access to system-level functions through a seemingly benign interface element.

The technical exploitation of this vulnerability involves a straightforward yet effective attack pattern that leverages the elevated execution context of the Infoclient process. When a low-privileged user modifies the server address field through the GUI, the application accepts this change without proper authentication or authorization checks. The Infoclient process, running under the nt authority\system context, subsequently establishes connections to the attacker-controlled server address. This creates a man-in-the-middle scenario where the malicious server can impersonate the legitimate bestinformed Web server. The vulnerability enables the attacker to push malicious update packages that are automatically executed with system privileges, and to perform arbitrary registry reads that would otherwise be restricted to authorized administrators. This dual capability provides both persistent infection mechanisms and information gathering capabilities that are typically restricted to system-level operations.

The operational impact of this vulnerability extends beyond simple privilege escalation to encompass comprehensive system compromise capabilities. Once escalated to nt authority\system level, the attacker gains complete control over the target Windows client system, including the ability to modify system files, install malicious software, and exfiltrate sensitive data. The vulnerability creates a persistent backdoor through the update package delivery mechanism, allowing attackers to maintain access even after system restarts. Additionally, the arbitrary registry read capability provides attackers with extensive information gathering capabilities, potentially exposing system configurations, user credentials, and other sensitive registry entries that could be used for further exploitation. This vulnerability essentially transforms any low-privileged user account into a system administrator-level access point, making it particularly dangerous in enterprise environments where user account compromise is common. The attack vector aligns with ATT&CK techniques such as T1068: "Local Port Forwarding" and T1547: "Registry Run Keys / Startup Folder" through the manipulation of client-server communication and system-level persistence mechanisms.

The recommended mitigations for this vulnerability focus on both immediate configuration controls and long-term architectural improvements. The most effective immediate solution involves deploying custom configuration files through the Infoclient.ini mechanism, specifically implementing the "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" flags to prevent user modification of critical network settings. This approach directly addresses the root cause by eliminating the GUI interface elements that enable the privilege escalation attack. Additionally, organizations should implement application whitelisting policies that restrict execution of the bestinformed Infoclient to only trusted administrators, and should regularly audit system configurations to ensure that these security controls remain properly implemented. The vulnerability highlights the importance of least privilege principles and demonstrates how default configurations can create security risks that are not immediately apparent. Organizations should also consider implementing network segmentation and monitoring to detect unauthorized server address changes, as well as regular security assessments to identify similar configuration flaws in other enterprise applications. The mitigation strategy should include comprehensive user access controls and regular security training to prevent unauthorized configuration modifications, as well as monitoring of system-level registry access patterns that could indicate exploitation attempts.

Responsible

NCSC.ch

Reservation

01/13/2025

Disclosure

02/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00160

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!