CVE-2025-22371

SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC

CVE CVE-2025-22371
Title SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC
Case DIVD-2025-00001
Credits
Affected products
Product Affected Unaffected Unknown
SicommNet BASEC on SaaS >= 14 Dec 2021 to < * (custom)
everything else
CVSS
Base score 9.3 - CRITICAL
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required NONE
Confidentiality Impact
Vulnerable system HIGH Subsequent systems LOW
Integrity Impact
Vulnerable system HIGH Subsequent systems NONE
Availability Impact
Vulnerable system HIGH Subsequent systems NONE
Safety impact NOT_DEFINED
Automatable YES
Recovery NOT_DEFINED
Value Density CONCENTRATED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References
Problem type(s) CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Impact(s)
Exploit(s) Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.
Date published 12 Apr 2025 00:00 UTC
Last modified

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SicommNet BASEC (SaaS Service) login page allows an unautheticated remote attacker to Bypass Authentication and execute arbitrary SQL commands.

This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.

As of the date of this CVE record, there has been no patch

JSON version.