Cordaware bestinformed is a software designed for company-wide distribution of urgent information. It enables you to, among other things, send banner messages to clients if, for example, a service needs unplanned maintenance to inform your users. This way, your IT department does not get bombarded with messages.

In late 2024, cyllective encountered Cordaware bestinformed during an audit. To be more specific, we encountered the Windows client running as NT AUTHORITY\SYSTEM. This client sparked our interest, mainly from a local privilege escalation standpoint. As those high permissions are default, we decided to investigate this software for potential vulnerabilities. This research was conducted by Manuel Kiesel ↗ and David Miller ↗.

This blog post accompanies “LPE by changing an IP address” ↗, a blog post by Manuel Kiesel. Over there, he goes into more detail about the backstory, the initial investigation and focuses on CVE-2025-0425 ↗, the local privilege escalation vulnerability inside the client. This blog post will mainly focus on the vulnerabilities inside the web application.

Client #

We encountered the software for the first time by stumbling upon the bestinformed Infoclient GUI, which ran on a workstation as NT AUTHORITY\SYSTEM. After inspecting the GUI for a bit, we noticed that our low-privileged user was able to change the IP address of the bestinformed server. From past experience investigating client and server models, as well as threat modeling, this looked dangerous to us. A low-privileged user being able to change the server IP address of a client which runs with elevated permissions to a potentially malicious server, very risky…Thus, this third-party software, which we have never heard of, sparked our interest.

The client itself is written in Object Pascal (Borland Delphi) and packed with ASPack. After unpacking the client and the surrounding binaries, we started reverse-engineering using tools like IDR ↗ and dhrake ↗. This turned out to be very cumbersome, as the binaries were quite large and contained many, many features.

In the meantime, since the server part of Cordaware bestinformed can be self-hosted, we asked Cordaware for a demo license. They were super cooperative and sent us one. Kudos

Traffic Inspection #

As we deployed the server, we turned our attention toward the traffic between the client and the server. Using WireShark, we quickly found that this traffic was HTTPS, as it was going to the same port where the admin web interface was reachable.

However, there was a small hurdle in making this traffic readable. Neither Burp nor Mitmproxy were able to display this HTTP traffic inside their respective UIs. This was due to the fact the client, by default, uses Connection: Keep-Alive. The client will always connect to the server using the GET /ClientRegister endpoint. The server will respond to that request with any commands waiting on the server. That can be, for example, an information banner to display or a configuration change. Over the same socket, even hours later, the server will again send any new commands for the client to process.

To work around this, we wrote a bit of code ↗ to act as a bidirectional HTTPS proxy.

Having readable traffic and the debug logs from both client and server, we were able to properly investigate the client for potential vulnerabilities.

CVE-2025-0425 #

For a detailed write-up on the client’s local privilege escalation, check out the accompanying blog post over at mkiesel.ch/posts/cordaware ↗.

Server #

Our attack vector, as you might recall, is to connect our client to a malicious server. To simulate such a server, we needed to know the communication patterns. For this, we turned our attention to the bestinformed server. This server contains many services, but mainly a web interface for controlling the information distribution.

Our target was a feature that allowed us to execute code on the client. This meant searching the whole web UI for features, flags, and other options. While doing this, we encountered multiple vulnerabilities in the web UI.

CVE-2025-0424 #

Multiple Authenticated Stored Cross-Site Scripting

During investigations into the web panel, we found a total of four (4) authenticated stored XSS vulnerabilities. Those can be abused by an authenticated user to inject JavaScript into the sessions of other bestinformed users who potentially have higher privileges inside the web UI.

For example, during a file upload, the filename can be changed to contain HTML code. This will be rendered once a user views this file.

------WebKitFormBoundaryOLzt1xweIxgOYyL6
Content-Disposition: form-data; name="file"; filename="cy.jpg <img src='' onerror=alert(document.domain)>"
Content-Type: image/jpeg

CVE-2025-0423 #

Multiple Unauthenticated Stored Cross-Site Scripting

During investigations into the web panel, we found a total of three (3) unauthenticated stored XSS vulnerabilities. Those can be abused by an unauthenticated attacker to inject JavaScript into the sessions of bestinformed users, potentially taking over the server and clients.

For example, when a client registers, values for client parameters can contain HTML. This will get rendered on the client panel, but only if an authenticated user hovers over those values. (active user interaction)

GET /ClientRegister?VER=6.3.6.8&TEC=1&UID=xxxxx&CID=xx&GUID=xxx&Domain=<img src='x' onerror='alert(document.domain)'>

The other unauthenticated vulnerabilities only require passive user interaction and thus are more dangerous.

CVE-2025-0422 #

Authenticated Remote Code Execution via ScriptVar

A ScriptVar, a type of dynamic data, can contain Pascal or Erlang code. This enables an authenticated attacker, to execute commands on the underlying server. The default admin has permission to achieve this, but the granular permission system of bestinformed enables this permission to be given to other users as well. A account who can create ScriptVars and preview them (for example by created an Info) can execute this attack.

As an example, an attacker can add the following to an already existing script var:

Command = "powershell -e xxx",
os:cmd(Command),

Other Recommendations #

Insecure Cookie Attributes

The session cookie was not marked as HttpOnly. This enabled us to easily take over accounts without needing to issue all malicious requests from a victim’s browser. We did not issue a CVE request for this, as this itself does not qualify for a CVE. We nonetheless recommended that Cordaware ensures that proper cookie attributes are set.

Signature Verification

The client did not validate the existing signature of updates pushed via the bestinformed server or a malicious counterpart. We did not issue a CVE request for this, as this itself does not qualify for a CVE. We nonetheless recommended that Cordaware change this.

Demos #

Compromise the Server #

Here is a demo combining CVE-2025-0422 ↗ and CVE-2025-0423 ↗ for an unauthenticated RCE on the Cordaware bestinformed server.

Compromise Workstations #

Here is a demo using CVE-2025-0423 to spread malware to all connected bestinformed clients.

Timeline #

• 2024-10-25: Received client binaries from initial customer
• 2024-11-18: Received demo license from Cordaware
• 2024-12-05: Send report to Cordaware, asking for review until the end of the year
• 2024-12-19: Customer replied, acknowledging all found vulnerabilities
  • Web vulnerabilities are already fixed and in testing
  • Client vulnerability needed additional information
• 2025-01-09: Client vulnerability fixed in testing
• 2025-01-17: CVEs reserved though BACS ↗
• 2025-02-13: Updates are released
• 2025-02-18: CVEs and this blogpost go live

Impact & Recommendations #

As you saw in the videos above, an unauthenticated attacker with access to your bestinformed web server is able to compromise the server itself and connected clients. In both cases, the affected software runs with elevated permission.

Affected are bestinformed Infoclient version <= 6.3.7.0 and bestinformed web version <= 6.2.2.5. Fixes for both components were released on 13.02.2025 as version 6.3.8.1 and 6.2.2.5. Please note, cyllective did not conduct a full, in-depth white-box audit of the software and other security vulnerabilities may still remain.

We recommend the following:

• Updating the client and server to the above mentioned versions, which ensures protection against the four vulnerabilities we discovered.
• Ensure Cordaware bestinformed Server accounts are protected and treated as very sensitive. Even after patching, it is possible to abuse the high-privileged client via an account in the bestinformed web UI. (up to a certain degree)
• Only install the bestinformed client on user-operated workstations. Not running this software on servers, for example, greatly decreases the risk of an attacker abusing this software for lateral movement to sensitive resources.
• On the server running the web UI, ensure a few configuration changes are taken:
  • Ensure only the needed ports are exposed. By default, the Cordaware bestinformed Server exposes a lot of ports on 0.0.0.0.
  • If possible, use mTLS ↗ to connect from Infoclient to server. This should stop a malicious client from being onboarded into your bestinformed instance.

Closing Words #

A big Danke to Cordaware! They provided us with a demo license, were super helpful and responsive, as well as totally on board with our little research project. We wish that more companies would be open-minded when it comes to IT security.

For any questions or feedback, feel free to reach out to us.