CVE-2025-22371 PUBLISHED

SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC

Assigner: DIVD
Reserved: 03.01.2025 Published: 14.04.2025 Updated: 15.04.2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass Authentication and execute arbitrary SQL commands. This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.

As of the date of this CVE record, there has been no patch

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:Y/V:C
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	SicommNet
Product	BASEC
Versions	Default: unknown affected from 14 Dec 2021 to * (incl.)

Exploits

Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.

Credits

Jesse Meijer (DIVD) finder
Frank Breedijk (DIVD) analyst

References

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

CAPEC-115 Authentication Bypass
CAPEC-66 SQL Injection