DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service
| Our reference | DIVD-2025-00001 |
| Case lead | Frank Breedijk |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | If you are a user of this service please ask Sicomm to fix these vulnerabilities |
| Patch status | Unpatched |
| Status | Open |
| Last modified | 21 Apr 2025 15:19 CEST |
Summary
Late 2021, during an investigation into hacked sites used in a spam network, DIVD researcher Jesse Meijer stumbles upon, unrelated, source code of Sicomm BASEC, and decides to report this source code being publicly available to Sicomm, to which he never gets a reply. Based on the source code he becomes suspicious that Sicomm BASEC contains vulnerabilities and manages to confirm his suspicions in both the source code and the actual online service.
On 12 Feb 2022 he informs Sicomm support of the vulnerabilities, followed up by an email to an executive on 1 Oct 2022, but never hears back. On 1 Jan 2025 he hands over the case to DIVD CSIRT who validates his findings and tries to contact Sicomm too. An email to support on 14 Jan 2025, LinkedIn messages to several executives on 15 Jan 2025, another email to support on 22 Jan and a voice mail message to support on 26 Feb 2025 all go unanswered.
On 14 Mar 2025 we considered SicommNet informed as per our CNA policy and we published this case file online. We have also sent Sicomm a full report of our findings. We have sent a copy of the report to CISA, because Sicomm claims BASEC is primarily used by US entities and we have seen evidence of this.
On 14 Apr 2025 we issued a product warning and published the CVE records to the CVE datbase and on this site (* CVE-2025-22371, CVE-2025-22372, and CVE-2025-22373).
On 17 Apr 2025 we had a meeting with SicommNet. CVE-2025-22371 was fixed on 16 APr around 23:00 EST. We expressed our concerns about the system and it’s current state and the possibility is was compromised. SicommNet did not make any statements about password rotation or forensics. We received limited information on how Sicomm is adressing this issue forther, but hope to learn more in the future.
What you can do
Sicomm BASEC is offered as a service, so the only party capable of fixing these issues is Sicomm.
If you are currently using or in the past have used SicommNet BASEC, we urge you to:
- Stop using the tool
- Consider all data in the tool compromised:
- Do not trust any data in the tool, because it can have been altered by a malicious actor
- Consider all data in the tool as leaked
- Inform any person of which personal identifiable data (PII) is stored in the tool that their PII has leaked
- Inform any overseeing bodies of a data leak (if applicable)
What we are doing
For now all we can do is publish this case file and product warning. As of today the minimum wait time of 60 days before full disclosure has started.
Timeline
| Date | Description |
|---|---|
| 01 Dec 2021 | Source code discovered online |
| 14 Dec 2021 | First notification about public source code |
| 16 Dec 2021 | Second notification about public source code |
|
14 Dec 2021 ? |
Time to acknowledge public source code |
| 12 Feb 2022 | First notification about vulnerabilities |
| 01 Oct 2022 | Second notification about vulnerabilities |
| 01 Jan 2025 | Case handed over to DIVD CSIRT |
| 14 Jan 2025 | 3rd notification about vulnerabilities |
| 15 Jan 2025 | 4th notification about vulnerabilities. (To board members via LinkedIn) |
| 16 Jan 2025 | DIVD asks CISA for assistance |
| 22 Jan 2025 | 5th notification about vulnerabilities. |
| 26 Feb 2025 | 6th notification about vulnerabilities. (Via voicemail of support) |
| 14 Mar 2025 | 7th notification about vulnerabilities. Full report sent to Sicomm and CISA |
| 14 Mar 2025 | Publication of casefile |
| 14 Mar 2025 | Vendor considered aware, even without contact |
|
12 Feb 2022- 14 Mar 2025 |
Time to acknowledge receipt of vulnerabilities |
| 21 Mar 2025 | CISA has confirmed to be in contact with Sicomm |
| 02 Apr 2025 | Prompted the vendor for a response via the CISA portal |
| 14 Apr 2025 | Limited disclosure and product warning |
|
14 Mar 2025- 14 Apr 2025 |
Time for limited disclosure |
| 16 Apr 2025 | CVE-2025-22371 fixed |
|
14 Mar 2025- 16 Apr 2025 |
Time to patch CVE-2025-22371 |
|
14 Mar 2025 ? |
Time to patch other CVEs |
| 17 Apr 2025 | Teams meeting between SicommNet and DIVD |
| 12 Jun 2025 | Minimum wait time for full disclosure |