CVE-2025-0425

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-0425
CWE	https://cwe.mitre.org/data/definitions/15.html

Via the GUI of the bestinformed Infoclient, a low-privileged user is by default able to change the server address of the bestinformed Server to which this client connects. This is dangerous as the bestinformed Infoclient runs with elevated permissions (nt authoritysystem). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the bestinformed Web server. Those features include:

Pushing of malicious update packages
Arbitrary Registry Read as nt authoritysystem

An attacker is able to escalate his privileges to nt authoritysystem on the Windows client running the bestinformed Infoclient.

This attack is not possible if a custom configuration (Infoclient.ini) containing the flags ShowOnTaskbar=false or DisabledItems=stPort,stAddress is deployed.

Weakness

One or more system settings or configuration elements can be externally controlled by a user.

Potential Mitigations

Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References

https://www.cordaware.com/changelog/en/version-6_3_8_1.html

External Control of System or Configuration Setting

Weakness

Potential Mitigations

Related Attack Patterns

References