Skip to the content.

DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service

Our reference DIVD-2025-00001
Case lead Frank Breedijk
Researcher(s)
  • Jesse Meijer
CVE(s)
Products
  • Sicomm BASEC e-Procurement and Diversity Outreach solutions
Versions
  • N/a this is an online service
Recommendation If you are a user of this service please ask Sicomm to fix these vulnerabilities
Patch status Unpatched
Status Open
Last modified 21 Apr 2025 15:19 CEST

Summary

Late 2021, during an investigation into hacked sites used in a spam network, DIVD researcher Jesse Meijer stumbles upon, unrelated, source code of Sicomm BASEC, and decides to report this source code being publicly available to Sicomm, to which he never gets a reply. Based on the source code he becomes suspicious that Sicomm BASEC contains vulnerabilities and manages to confirm his suspicions in both the source code and the actual online service.

On 12 Feb 2022 he informs Sicomm support of the vulnerabilities, followed up by an email to an executive on 1 Oct 2022, but never hears back. On 1 Jan 2025 he hands over the case to DIVD CSIRT who validates his findings and tries to contact Sicomm too. An email to support on 14 Jan 2025, LinkedIn messages to several executives on 15 Jan 2025, another email to support on 22 Jan and a voice mail message to support on 26 Feb 2025 all go unanswered.

On 14 Mar 2025 we considered SicommNet informed as per our CNA policy and we published this case file online. We have also sent Sicomm a full report of our findings. We have sent a copy of the report to CISA, because Sicomm claims BASEC is primarily used by US entities and we have seen evidence of this.

On 14 Apr 2025 we issued a product warning and published the CVE records to the CVE datbase and on this site (* CVE-2025-22371, CVE-2025-22372, and CVE-2025-22373).

On 17 Apr 2025 we had a meeting with SicommNet. CVE-2025-22371 was fixed on 16 APr around 23:00 EST. We expressed our concerns about the system and it’s current state and the possibility is was compromised. SicommNet did not make any statements about password rotation or forensics. We received limited information on how Sicomm is adressing this issue forther, but hope to learn more in the future.

What you can do

Sicomm BASEC is offered as a service, so the only party capable of fixing these issues is Sicomm.

If you are currently using or in the past have used SicommNet BASEC, we urge you to:

What we are doing

For now all we can do is publish this case file and product warning. As of today the minimum wait time of 60 days before full disclosure has started.

Timeline

Date Description
01 Dec 2021 Source code discovered online
14 Dec 2021 First notification about public source code
16 Dec 2021 Second notification about public source code
14 Dec 2021
?
Time to acknowledge public source code
12 Feb 2022 First notification about vulnerabilities
01 Oct 2022 Second notification about vulnerabilities
01 Jan 2025 Case handed over to DIVD CSIRT
14 Jan 2025 3rd notification about vulnerabilities
15 Jan 2025 4th notification about vulnerabilities. (To board members via LinkedIn)
16 Jan 2025 DIVD asks CISA for assistance
22 Jan 2025 5th notification about vulnerabilities.
26 Feb 2025 6th notification about vulnerabilities. (Via voicemail of support)
14 Mar 2025 7th notification about vulnerabilities. Full report sent to Sicomm and CISA
14 Mar 2025 Publication of casefile
14 Mar 2025 Vendor considered aware, even without contact
12 Feb 2022-
14 Mar 2025
Time to acknowledge receipt of vulnerabilities
21 Mar 2025 CISA has confirmed to be in contact with Sicomm
02 Apr 2025 Prompted the vendor for a response via the CISA portal
14 Apr 2025 Limited disclosure and product warning
14 Mar 2025-
14 Apr 2025
Time for limited disclosure
16 Apr 2025 CVE-2025-22371 fixed
14 Mar 2025-
16 Apr 2025
Time to patch CVE-2025-22371
14 Mar 2025
?
Time to patch other CVEs
17 Apr 2025 Teams meeting between SicommNet and DIVD
12 Jun 2025 Minimum wait time for full disclosure
gantt title DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service (still open) :2025-01-01, 2025-05-02 section Events Source code discovered online : milestone, 2021-12-01, 0d First notification about public source code : milestone, 2021-12-14, 0d Second notification about public source code : milestone, 2021-12-16, 0d Time to acknowledge public source code (?d): 2021-12-14, 2025-05-02 First notification about vulnerabilities : milestone, 2022-02-12, 0d Second notification about vulnerabilities : milestone, 2022-10-01, 0d Case handed over to DIVD CSIRT : milestone, 2025-01-01, 0d 3rd notification about vulnerabilities : milestone, 2025-01-14, 0d 4th notification about vulnerabilities. (To board members via LinkedIn) : milestone, 2025-01-15, 0d DIVD asks CISA for assistance : milestone, 2025-01-16, 0d 5th notification about vulnerabilities. : milestone, 2025-01-22, 0d 6th notification about vulnerabilities. (Via voicemail of support) : milestone, 2025-02-26, 0d 7th notification about vulnerabilities. Full report sent to Sicomm and CISA : milestone, 2025-03-14, 0d Publication of casefile : milestone, 2025-03-14, 0d Vendor considered aware, even without contact : milestone, 2025-03-14, 0d Time to acknowledge receipt of vulnerabilities (1126 days) : 2022-02-12, 2025-03-14 CISA has confirmed to be in contact with Sicomm : milestone, 2025-03-21, 0d Prompted the vendor for a response via the CISA portal : milestone, 2025-04-02, 0d Limited disclosure and product warning : milestone, 2025-04-14, 0d Time for limited disclosure (31 days) : 2025-03-14, 2025-04-14 CVE-2025-22371 fixed : milestone, 2025-04-16, 0d Time to patch CVE-2025-22371 (33 days) : 2025-03-14, 2025-04-16 Time to patch other CVEs (?d): 2025-03-14, 2025-05-02 Teams meeting between SicommNet and DIVD : milestone, 2025-04-17, 0d Minimum wait time for full disclosure : milestone, 2025-06-12, 0d

More information