CVE-2025-22372 PUBLISHED

Insecure password storage in SicommNet BASEC

Assigner: DIVD
Reserved: 03.01.2025 Published: 14.04.2025 Updated: 15.04.2025

Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery. Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.

This issue affects BASEC: from 14 Dec 2021.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/V:C
CVSS Score: 8.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/V:C
CVSS Score: 9.3

When combined with CVE-2025-22371

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	None	Availability	High	Availability	Low
Privileges Required	None
User Interaction	None

When combined with CVE-2025-22371

CVSS 4.0

Product Status

Vendor	SicommNet
Product	BASEC
Versions	Default: unknown affected from 14 Dec 2021 to * (incl.)

Exploits

Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.

Credits

Jesse Meijer (DIVD) finder
Frank Breedijk (DIVD) analyst

References

Problem Types

CWE-522 Insufficiently Protected Credentials CWE

Impacts

CAPEC-50 Password Recovery Exploitation